Exposure Draft – Attestation and Direct Engagements
advertisement
Exposure Draft Auditing and Assurance Standards Board Proposed Canadian Standards on Assurance Engagements Attestation and Direct Engagements June 2014 COMMENTS TO THE AASB MUST BE RECEIVED BY NOVEMBER 3, 2014 A PDF response form has been posted with this document to assist you in submitting your comments to the AASB. Alternatively, you may send comments via email (in Word format), to: ed.assurancestds@cpacanada.ca addressed to: Greg Shields, CPA, CA Director, Auditing and Assurance Standards Auditing and Assurance Standards Board 277 Wellington Street West Toronto ON M5V 3H2 This Exposure Draft reflects proposals made by the Auditing and Assurance Standards Board (AASB). Individuals and organizations are invited to send written comments on the Exposure Draft proposals. Comments are requested from those who agree with the Exposure Draft as well as from those who do not. Comments are most helpful if they are related to a specific paragraph or group of paragraphs. Any comments that express disagreement with the proposals in the Exposure Draft should clearly explain the problem and include a suggested alternative, supported by specific reasoning. All comments received by the AASB will be available on the web site shortly after the comment deadline, unless confidentiality is requested. The request for confidentiality must be stated explicitly within the response. Highlights The Auditing and Assurance Standards Board (AASB) proposes, subject to comments received following exposure, to: • adopt International Standard on Assurance Engagements (ISAE) 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, as Canadian Standard on Assurance Engagements (CSAE) 3000, Attestation Engagements Other than Audits or Reviews of Historical Financial Information; and • issue a new CSAE 3001, Direct Engagements. These standards will replace: • STANDARDS FOR ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5025; • QUALITY CONTROL PROCEDURES FOR ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5030; • USE OF SPECIALISTS IN ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5049; • USING THE WORK OF INTERNAL AUDIT IN ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5050; and • GENERAL REVIEW STANDARDS, Section 8100. Background From March 2009 to September 2013, the International Auditing and Assurance Standards Board (IAASB) undertook its project to revise (and redraft in clarity format) ISAE 3000. The AASB closely monitored this work, and provided input to Canadian members on the IAASB regarding key issues identified in developing the revised ISAE. In April 2011, the IAASB issued its Exposure Draft of proposed revised ISAE 3000 (EDISAE 3000). The proposed ISAE, consistent with the extant standard: • covered both attestation engagements and direct engagements; and • for each of those engagement categories, provided guidance for both reasonable assurance (audit) engagements and limited assurance (review) engagements. There are many similarities in how attestation engagements and direct engagements are performed; however there are fundamental differences. For example, in an attestation engagement, the practitioner’s objective is to reach a conclusion on a public Attestation and Direct Engagements | i statement or assertion issued by the party responsible regarding the underlying subject matter of the engagement. In a direct engagement, there is no public statement or assertion by the responsible party: the practitioner expresses a conclusion “directly” on the underlying subject matter. Both types of engagement are common in Canada. Appendix D provides a comparison between attestation and direct engagements. As part of its efforts to obtain input from Canadian stakeholders, in June 2011, the AASB issued its Invitation to Comment on the proposed ISAE, highlighting matters likely to be of particular interest to those stakeholders. Taking into account input received, the AASB responded to the IAASB regarding ED-ISAE 3000, indicating strong support of the draft ISAE as it related to attestation engagements. However, the AASB noted that it had significant concerns on proposals regarding direct engagements, particularly the position taken that the concept of misstatement of subject matter information applies to direct engagements. The AASB provided suggested wording changes to address this and other issues. Also, the AASB’s concerns were echoed by Canadian stakeholders, particularly Canadian legislative auditors, who responded directly to the IAASB. As a result of comments received in response to ED-ISAE 3000, the IAASB undertook further consultations regarding direct engagements. These included the Chair of the IAASB’s ISAE 3000 task force meeting with representatives of the AASB, including members from the public sector, to clarify concerns raised by Canadian stakeholders and explore how these might be resolved. Based on further input obtained from Canada and elsewhere, the IAASB ultimately decided that ISAE 3000 should cover only attestation engagements, but include a statement that the ISAE “may also be applied to reasonable and limited assurance direct engagements, adapted and supplemented as necessary in the engagement circumstances.” In September 2013, the IAASB approved revised ISAE 3000 as a final standard, effective for attestation engagements when the assurance report is dated on or after December 15, 2015. The IAASB will also consider undertaking, at an unspecified future date, a project to develop an ISAE dealing with direct engagements. Adoption of ISAE 3000 as CSAE 3000 with amendments The AASB has concluded, subject to comments received following exposure, that ISAE 3000 is appropriate for attestation engagements and should be adopted as CSAE 3000. Consistent with the views expressed in its response to ED-ISAE 3000, the AASB feels that CSAE 3000 will provide useful guidance and address the needs of Canadian practitioners for attestation engagements, both in the private and public sectors. In the AASB’s view, CSAE 3000 is appropriately principles-based and meets the fundamentals of a stand-alone and well-integrated standard. Of key importance is the embedded flexibility backed by reliance on professional judgment and quality control to accommodate different circumstances, including in the application material presented. ii | Exposure Draft – June 2014 The AASB also proposes to issue, subject to comments received on exposure, new CSAE 3001. ISAE 3000 and, therefore, CSAE 3000, covers only attestation engagements. There is a need for a CSAE covering direct engagements, given that such engagements are commonly performed. They include, for example, performance (value-for-money) audits by legislative auditors and some compliance audits. Proposed amendments in adopting ISAE 3000 as CSAE 3000 Amendments to the wording of ISAE 3000 are being proposed for CSAE 3000. These amendments have been made in accordance with the AASB’s criteria for such amendments (see Appendix A), and relate to the following matters: • Some references in ISAE 3000 to “assurance engagements” have been changed to refer to “attestation engagements” to more clearly indicate that CSAE 3000 applies only to attestation engagements. The only references to direct engagements retained are those in the definitions explaining the various categories of assurance engagements. • Material has been added to CSAE 3000 to refer to CSAE 3001 to indicate, for example, that each of these CSAEs has equal authority and status. • References to the IESBA Code of Conduct have been replaced with references to relevant rules of professional conduct/codes of ethics in Canada applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies. This proposed amendment is consistent with the approach taken in adopting other international standards and is discussed in the Preface to the CPA Canada Handbook – Assurance. Also, application and explanatory material listing key matters addressed in the IESBA Code has been replaced with a similar list of key matters typical of rules of professional conduct in Canada. • References in the ISAE to the International Framework for Assurance Engagements and the IFAC’s Member Body Compliance Program and Statements of Membership Obligations have been deleted. • The effective date of CSAE 3000 is different from that of ISAE 3000 (see discussion below under “Effective Date.”) Attestation and Direct Engagements | iii Relationship of CSAE 3001 to CSAE 3000 The AASB has concluded the following, subject to comments received: • CSAE 3001 should be based on CSAE 3000. Differences in wording between the two CSAEs relate only to differences between the performance of an attestation engagement and the performance of a direct engagement. The decision to limit differences in this way was made after careful consideration. Input obtained in developing the ED indicated a strong desire among stakeholders that CSAE 3001 have the same quality and status as CSAE 3000. In the AASB’s view, a wider range of differences between the two CSAEs would significantly reduce understandability and clarity and potentially create misperceptions of differences in quality. • For clarity and ease of use, CSAE 3001 should be self-standing. That is, it should address the same matters as CSAE 3000: those performing direct engagements should not have to refer to CSAE 3000, and vice versa. • CSAE 3000 and CSAE 3001 should have equal status and authority. Key differences between extant umbrella standards and the proposed CSAEs Key differences between the extant umbrella standards in the Handbook and CSAE 3000 and CSAE 3001 relate to the following: • number and format of the standards; • relationships among assurance standards; • terminology and definitions; • specifications regarding those assurance providers who can claim compliance with the assurance standards; • requirements in extant umbrella standards not reflected as requirements in CSAE 3000 and CSAE 3001; • additional requirements; and • limited assurance engagements. Each of the differences is discussed below. Number and format of the standards Currently, the Handbook contains umbrella standards (Sections 5025, 5030, 5049 and 5050) that apply to all assurance engagements other than audits and reviews of historical financial information (see Appendix C). Section 8100 is an umbrella standard for review engagements. These standards would be replaced by two standards, CSAE 3000 and CSAE 3001. One result is that the topics of quality control, use of the iv | Exposure Draft – June 2014 work of experts and use of the work of internal audit will no longer be addressed in separate umbrella standards. In the view of the AASB, the concise and accurate integration within CSAE 3000 and CSAE 3001, of requirements on various specific topics results in clearly showing how these topics fit within the context of the overall approach to an assurance engagement. CSAE 3000 and CSAE 3001 are also drafted in the clarity format used in international standards, as well as the Canadian Auditing Standards (CASs) and recently revised and clarified standards in the Handbook. Under the clarity format, each standard contains introductory material, an objective, definitions, requirements (positioned together within the standard, with each requirement containing the word “shall”), and application and explanatory material. All requirements are referenced to relevant application and explanatory material, and vice versa. Relationships among assurance standards Requirement paragraphs 14-19 of CSAE 3000 (paragraphs 16-21 of CSAE 3001) deal with topics regarding compliance with the umbrella CSAEs that the practitioner needs to understand. These are largely covered in AUTHORITY OF AUDITING AND ASSURANCE STANDARDS AND OTHER GUIDANCE FOR ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5021. However, paragraph 14 of CSAE 3000 (paragraph 16 of CSAE 3001) is particularly important, in that it notes that a practitioner needs to comply with the relevant umbrella CSAE as well as any subject-matter-specific CSAEs relevant to the engagement. This is different from what is stated in paragraph 5025.02 (i.e., that if a specific standard exists, practitioner follow that specific standard to fulfill their professional responsibilities). Subject-matter-specific assurance standards in the Handbook (sometimes called “engagement-level standards”) include those listed in Appendix C (in the box under “other information”). Some of these standards establish links to the umbrella standards consistent with paragraph 14 of CSAE 3000 (paragraph 16 of CSAE 3001). For example, paragraph 14 of Section 5925, AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS states: “When performing an audit of internal control over financial reporting, the auditor shall comply with Section 5025.” Terminology and definitions The fundamental concepts underlying CSAE 3000 and CSAE 3001 are similar to those underlying Section 5025. However, there are differences in terminology and in the ways that certain concepts are described. Key examples of such differences include the following: Attestation and Direct Engagements | v Engagement partner vs. practitioner In the CSAEs, the “engagement partner” is the partner or other person in the firm (or the public sector equivalent) who is responsible for the engagement and its performance and the assurance report that is issued. In the extant umbrella standards, that person is the “practitioner” (as defined in Section 5025 and Section 5030). In the CSAEs, the “practitioner” is the individual(s) conducting the engagement (usually the engagement partner or other members of the engagement team or, as applicable, the firm). When the CSAEs expressly intend that a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “practitioner” is used. Engagement team vs. assurance team In the CSAEs, the “engagement team” excludes a practitioner’s external expert engaged by the firm or a network firm. While an external expert needs to be objective, that expert is not expected, for example, to necessarily meet all of the rules of professional conduct to which the members of the engagement team are subject. In the extant umbrella standards, the “assurance team” includes any specialists who act as members of the assurance team. Reasonable assurance engagement vs. audit engagement The concepts of “reasonable assurance engagement” and “audit engagement” are equivalent. In the CSAEs, a “reasonable assurance engagement” is defined as an assurance engagement in which the practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the practitioner’s conclusion. In Section 5025, in an “audit engagement”, the practitioner provides a high, though not absolute, level of assurance by designing procedures so that in the practitioner’s judgment, the risk of an inappropriate conclusion (i.e., engagement risk) is reduced to a low level through the procedures performed. A key difference in the way these types of engagement are described is that the CSAEs do not use the terminology “high, though not absolute.” Limited assurance engagement vs. review The concepts of “limited assurance engagement” and “review” are equivalent. In the CSAEs, in a limited assurance engagement, the practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement. The level of assurance to be obtained must be meaningful (i.e., likely to enhance users’ confidence about the matters being reported on to a degree that is clearly more than inconsequential.). In Section 5025, in a review, the practitioner provides a moderate level of assurance (i.e., the risk of an inappropriate conclusion is reduced to a moderate level, vs. the low level in an audit engagement). Section 5025 does not use the term “meaningful level of assurance”. Rather, the risk of an inappropriate conclusion is reduced to a moderate level when the vi | Exposure Draft – June 2014 evidence obtained enables the practitioner to conclude the subject matter is plausible in the circumstances. Specifications regarding those assurance providers who can claim compliance with the assurance standards Unlike Section 5025, CSAE 3000 and CSAE 3001 provide explicit information regarding when an assurance provider can claim compliance with a CSAE. Paragraph C3(a) of CSAE 3000 (paragraph C5(a) of CSAE 3001) notes that an engagement team and engagement quality control reviewer (when one is appointed) are subject to rules of professional conduct that apply to the practice of public accounting or other rules that are at least as demanding. Paragraph C3(b) of CSAE 3000 (C5(b) of CSAE 3001) notes that the practitioner must be a member of a firm (which includes the public sector equivalent) that is subject to the Canadian Standard on Quality Control (CSQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements, or other professional requirements that are at least as demanding. The assurance work may be performed by a multi-disciplinary team. If the practitioner is not a professional accountant, the firm’s code of professional conduct is considered to be “other professional requirements” that the practitioner is required to adhere to in order to claim compliance with CSAEs. Requirements in extant umbrella standards not reflected as requirements in CSAE 3000 and CSAE 3001 A key characteristic of high-quality assurance standards is that they are appropriately balanced regarding the relative emphasis they place on principles, rules and detailed supporting guidance. The issue of how best to achieve an appropriate balance was debated by the IAASB in developing ISAE 3000. The IAASB concluded that ISAE 3000 should contain only those requirements essential to performing an assurance engagement. This recognizes that an umbrella standard does not need to have the extensive, detailed requirements that are contained, for example, in standards that apply to the audit of historical financial statements. On the other hand, it is important that assurance standards be self-standing. That is, a practitioner performing an assurance engagement will not always be familiar with standards that apply to financial statement audits and, therefore, should not have to refer to those standards for guidance. The AASB agrees with the approach taken by the IAASB in determining the nature and extent of requirements in the umbrella standards. Like ISAE 3000, CSAE 3000 and CSAE 3001 contain extensive requirements. However, not all requirements in the extant umbrella standards appear in the CSAEs. Attestation and Direct Engagements | vii The AASB carefully considered whether CSAE 3000 should be amended to include all the requirements in the extant umbrella standards. It decided that no additions or amendments should be made to the wording of CSAE 3000 to add requirements. In the AASB’s view, the exclusions of these requirements do not undermine the quality of CSAE 3000 or CSAE 3001(i.e., effective assurance engagements can be performed without making such amendments). Appendix B identifies requirements in the extant umbrella standards not reflected in CSAE 3000 and CSAE 3001. Additional requirements The extant umbrella standards in the Handbook and CSAE 3000 and CSAE 3001 are principles-based standards. They are meant to strike an appropriate balance between allowing practitioners to exercise professional judgment and at the same time setting out requirements in sufficient number, and with sufficient detail and prescription, to help ensure a uniform high quality of performance regarding assurance engagements. Overall, the requirements in CSAE 3000 and CSAE 3001 cover the same topics as those in the extant umbrella standards. However, the number of requirements in these CSAEs exceeds that in the extant standards. It should be noted, though, that the extant standards also contain many paragraphs that can be viewed as quasi requirements, since although they are not italicized recommendation paragraphs, they use the words “should” or “would” in describing matters related to performing an assurance engagement. Set out below is a brief discussion of key requirements in CSAE 3000 and CSAE 3001 that are in addition to those contained in extant umbrella standards, or are significantly more detailed or prescriptive. Assurance report prescribed by law or regulation Paragraph 30 of CSAE 3000 (paragraph 32 of CSAE 3001) sets out requirements related to circumstances when the layout or wording of an assurance report is prescribed by law or regulation, including actions to be taken when users might misunderstand the assurance conclusion in such a report. Section 5025 does not have a requirement dealing with this matter. Characteristics of the engagement partner Paragraph 31 of CSAE 3000 (paragraph 33 of CSAE 3001) requires the engagement partner to be a member of a firm that applies CSQC 1, or requirements at least as demanding. Neither Section 5025 nor Section 5030 has this requirement. Involvement of another practitioner (not part of the engagement team) The subject matter information (in an attestation engagement) or the underlying subject matter (in a direct engagement) may include information upon which another practitioner has expressed a conclusion. Paragraph 32(b)(ii) of CSAE 3000 viii | Exposure Draft – June 2014 (paragraph 34(b)(ii) of CSAE 3001) requires the engagement partner to be satisfied that the practitioner will be able to be involved with the work of another practitioner, not part of the engagement team, where the assurance work of that practitioner is to be used. This matter is not addressed in the extant umbrella assurance standards. Intentional non-compliance with laws and regulations affecting the underlying subject matter Paragraph 45 of CSAE 3000 (paragraph 47 of CSAE 3001) requires the practitioner to make enquiries of the appropriate parties regarding whether they have knowledge of any actual, suspected or alleged intentional misstatement in the case of an attestation engagement or non-compliance with laws and regulations affecting the subject matter information (in the case of an attestation engagement) or any actual, suspected or alleged intentional deviation (in the case of a direct engagement). The extant umbrella standards do not have a similar requirement. Evaluating the design of controls and whether they have been implemented For reasonable assurance engagements, paragraph 47R of CSAE 3000 (paragraph 49R of CSAE 3001) requires the practitioner to evaluate the design of those controls relevant to the engagement and determine whether they have been implemented by performing procedures in addition to inquiry of the personnel responsible for the subject matter information (in an attestation engagement) or underlying subject matter (in a direct engagement). This requirement is significantly more onerous than that in paragraph 5025.48. The controls relevant to the engagement depend, for example, on the scope of the engagement and the nature of underlying subject matter. The practitioner’s evaluation of the design of the controls and whether they have been implemented includes consideration of how the controls relate to management’s stated objectives regarding the underlying subject matter, including the related risks that management is trying to address. To obtain evidence about the design and implementation of controls relevant to the engagement, the practitioner may perform procedures such as inquiring of entity personnel, observing the application of specific controls, inspecting documents and reports and performing a walk-through. A walk-through consists of tracing transactions through systems that are relevant to the engagement. Identifying and assessing the risks of material misstatement (for attestation engagements) and material deviation (for direct engagements) and responding to those assessed risks For reasonable assurance engagements, paragraph 48R(a) of CSAE 3000 (paragraph 50R(a) of CSAE 3001) requires the practitioner to identify and assess the risks of material misstatement (in an attestation engagement) or the risk of a material deviation (in a direct engagement). Paragraph (b) requires the practitioner to design and perform procedures to respond to the assessed risks and obtain reasonable assurance Attestation and Direct Engagements | ix to support the practitioner’s conclusion, including in the particular circumstance set out in the requirements, obtaining sufficient appropriate evidence of the operating effectiveness of the relevant controls. Section 5025 does not contain equivalent requirements. Accumulated uncorrected misstatements or aggregate effect of individual deviations Paragraph 51 of CSAE 3000 requires the practitioner to accumulate uncorrected misstatements. Paragraph A118 indicates that the purpose of this accumulation is to enable the practitioner to evaluate whether, individually or in aggregate, the misstatements are material when forming the practitioner’s conclusion. Paragraph 53 of CSAE 3001 requires the practitioner to consider whether individual deviations identified during the engagement (other than those that are clearly trivial) have characteristics, for example, a root cause or a problematic pattern, that indicate the aggregate effect of individual deviations is likely to be material. There are no equivalent requirements in Section 5025. Written representations from appropriate parties Paragraphs 56-60 of CSAE 3000 set out requirements related to requesting written representations from appropriate parties, including a representation that the practitioner has been provided with all the information of which the appropriate parties are aware that is relevant to the engagement. Paragraphs 58-62 of CSAE 3001 set out requirements similar to those in CSAE 3000. However, paragraph 58, reflecting the difference between an attestation engagement and direct engagement, requires the practitioner to request from the appropriate party(ies) a written representation that it has provided the practitioner with all information of which the appropriate party(ies) is aware that has been requested or that could materially affect the findings or the conclusion of the engagement report. Paragraph 60 of CSAE 3000 (paragraph 62 of CSAE 3001) states what the practitioner is required to do if a requested written representation is not provided or is not reliable. Section 5025 does not contain equivalent requirements. These new requirements could represent a significant change from current practice for some legislative audit offices in carrying out value-for-money (performance) audits. Subsequent events Paragraph 61 of CSAE 3000 (paragraph 63 of CSAE 3001) requires the practitioner to respond to facts that become known to the practitioner after the date of the assurance report that, had they been known by the practitioner at that date, may have caused the practitioner to amend the assurance report. Section 5025 does not contain an equivalent requirement. Paragraph 8100.47 covers this matter for review engagements but this paragraph is not a requirement. x | Exposure Draft – June 2014 Other information Paragraph 62 of CSAE 3000 (paragraph 64 of CSAE 3001) sets out required procedures in circumstances when documents containing the subject matter information and the assurance report thereon (in an attestation engagement) or the assurance report (in a direct engagement) also contain other information. The practitioner is required to read that other information to identify material inconsistencies with the subject matter information or the assurance report (in an attestation engagement), or the assurance report (in a direct engagement), and take follow up actions if the practitioner becomes aware of a material inconsistency or a material misstatement of fact in the other information. Section 5025 does not contain a similar requirement. Assurance report content Overall, the assurance report content required by CSAE 3000 and CSAE 3001 is similar to that required by Section 5025. The following are significant matters required for inclusion in the report by various subparagraphs in paragraph C69 of CSAE 3000 (paragraph 70 of CSAE 3001) that are not required by Section 5025. • A description of any significant inherent limitations associated with the measurement or evaluation of the underlying subject matter against the applicable criteria (paragraph (e)). • When the applicable criteria are designed for a specific purpose, a statement alerting readers to this fact and that, as a result, the subject matter information (in an attestation engagement) (practitioner’s report, in a direct engagement) may not be suitable for another purpose (paragraph (f)). • A statement that the firm of which the practitioner is a member applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1 (paragraph (i)). • A statement that the practitioner complies with the independence and other ethical requirements of the relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding (paragraph (j)). Other communication responsibilities Paragraph 78 of both CSAE 3000 and CSAE 3001 requires the practitioner to consider whether, pursuant to the terms of the engagement and other engagement Attestation and Direct Engagements | xi circumstances, any matter has come to the attention of the practitioner that is to be communicated with the responsible party, the measurer or evaluator (in an attestation engagement), the engaging party, those charged with governance or others. Section 5025 does not have a similar requirement. Documentation Paragraphs 79-83 of both CSAE 3000 and CSAE 3001 contain documentation requirements that are more extensive and prescriptive than the requirement in paragraph 5025.58. The focus in the CSAEs is on the timeliness of documentation preparation and the objective of preparing documentation that will enable an experienced practitioner, having no previous connection to the engagement, to understand fundamental aspects of the engagement as described in paragraph 79 (a)-(c). Limited assurance engagements The more extensive and prescriptive requirements in CSAE 3000 and CSAE 3001 apply to limited assurance engagements as well as reasonable assurance engagements. Paragraphs 46-49 of CSAE 3000 (48-51 of CSAE 3001) deal with matters regarding which there are differences between limited assurance engagements and reasonable assurance engagements. These differences are made clear through use of a table format. The paragraphs in the left-hand column of the table are marked with an “L” (to indicate the requirements apply only to limited assurance engagements) and the paragraphs in the right-hand column are marked with an “R” to indicate that they apply only to reasonable assurance engagements. Paragraph 46L of CSAE 3000 (paragraph 48L of CSAE 3001) is more explicit, detailed and prescriptive than Section 8100 in stating the understanding of the entity obtained by the practitioner has to be sufficient to enable the practitioner to identify where a material misstatement (in an attestation engagement) or a material deviation (in a direct engagement) are likely to rise, and design and perform procedures to address those areas. Paragraphs 8100.17-.18 cover the knowledge of the entity’s business that a practitioner is expected to obtain, however, these are not requirement paragraphs. In addition, the required contents of the report resulting from a limited assurance engagement set out in CSAE 3000 and CSAE 3001 differ in the following key respects from the requirements in Section 8100: • The differences in reporting noted under the heading “assurance report content” apply to limited assurance engagements as well as reasonable assurance engagements. • In addition, paragraph C69(k) of CSAE 3000 (paragraph 70(k) of CSAE 3001) requires the practitioner to provide an informative summary of the work performed as the basis for the practitioner’s conclusion. The paragraph notes that in the case of a limited assurance engagement, an appreciation of the nature, timing and extent xii | Exposure Draft – June 2014 of procedures performed is essential to understanding the practitioner’s conclusion. Also, in a limited assurance engagement, the summary of the work performed has to state: “The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement, and consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed.” • CSAE 3000 and CSAE 3001 do not contain the requirement in paragraph 8100.27 that each page of the information on which the public accountant reports should be conspicuously marked as being unaudited. • Financial statement reviews are within the umbrella of Section 8100, which contains reporting requirements applicable to such reviews. Financial statement reviews are outside the scope of CSAE 3000 and CSAE 3001. Attestation and Direct Engagements | xiii Consequential amendments CSAE 3410, Assurance Engagements on Greenhouse Gas Statements, and CSAE 3416, Reporting on Controls at a Service Organization Because CSAE 3000 is an umbrella standard covering attestation engagements, the relationships between that CSAE and each of CSAE 3410 and CSAE 3416 need to be clarified. As well, the AASB proposes to amend CSAE 3410 and CSAE 3416 to make their reporting requirements consistent with those in CSAE 3000. Public Sector Sections of the Handbook The reporting requirements in AUDITING FOR COMPLIANCE WITH LEGISLATIVE AND RELATED AUTHORITIES IN THE PUBLIC SECTOR, Section PS 5300, and in VALUE-FORMONEY AUDITING IN THE PUBLIC SECTOR, Section PS 5400, will be revised to make them consistent with the requirements in CSAE 3000 and CSAE 3001. Effective date For revised ISAE 3000, the effective date is for engagements where the assurance report is dated on or after December 15, 2015. Subject to comments received following exposure, proposed CSAE 3000 and CSAE 3001 would be effective for assurance reports dated on or after June 30, 2017. There would be no prohibition against early adoption. There are two reasons for the proposed amendment to the effective date. First, firms will require about 6 months to prepare for the implementation of the CSAEs. Second, in Canada, some direct assurance engagements extend over a relatively long period of time (i.e., up to 18 months). See the expected timing below. Anticipated date CSAEs will be issued June 2015 Time required by firms to prepared for the implementation December 2015 Time required to carry out a direct engagement (18 months) June 2017 Effective date for implementation June 30, 2017 Comments requested The AASB requests comments on any aspect of proposed CSAE 3000, CSAE 3001 and consequential amendments to other standards. Comments are most helpful when they are related to a specific paragraph or group of paragraphs. Any comments that express disagreement with the proposals in the Exposure Draft should clearly explain the problem and include a suggested alternative, supported by specific reasoning. When a respondent agrees with proposals in the Exposure Draft, it will be helpful for the AASB to be made aware of this view. xiv | Exposure Draft – June 2014 The AASB would also welcome views on the following questions: 1. Do you agree that ISAE 3000 should be adopted as CSAE 3000 with the proposed amendments? 2. The AASB has proposed Canadian amendments to ISAE 3000 as noted above. Stakeholders are asked to provide comments on the proposed Canadian amendments, including whether they believe that the proposed amendments are warranted and meet the AASB’s criteria for such amendments (set out in Appendix A). If not, what changes are proposed? 3. Are there any other Canadian amendments required to CSAE 3000? If so, please describe the nature and extent of the amendments. Note that any amendments proposed would need to meet the criteria set out in Appendix A. 4. Do you agree that CSAE 3001 is needed in Canada to cover direct engagements? If so, do you agree that CSAE 3001 should be based on ISAE 3000, with the only differences between the standards relating to differences between attestation engagements and direct engagements? 5. Do you agree that certain requirements in extant assurance standards not be reflected in CSAE 3000 and CSAE 3001 (see Appendix B)? If not, which requirements should be reflected and why? 6. Do you agree with the proposed effective date of the CSAEs? The deadline for providing your comments to the AASB on the above is November 3, 2014. For you convenience, a PDF response form has been posted with this document to assist you in submitting your comments. Alternatively, you may send comments by email (in Word format), to: assurancestds@cpacanada.ca Attestation and Direct Engagements | xv APPENDIX A Amendment Criteria Used by the AASB When Adopting ISAE 3000 as CSAE 3000 With respect to the adoption of ISAE 3000 as CSAE 3000, the AASB’s overriding goal is to adopt ISAE 3000 into the Assurance Handbook with minimal amendments. The following sets out the limited circumstances when the AASB will make amendments to ISAE 3000: 1. The AASB will limit additions to ISAE 3000 to those required to comply with Canadian legal and regulatory requirements. 2. The AASB will limit deletions from, or other amendments to, ISAE 3000 to the following: (a) the elimination of options (alternatives) provided for in the ISAE; (b) requirements or guidance, the application of which Canadian law or regulation does not permit, or which require amendment to be consistent with law or regulation; and (c) requirements or guidance, where the ISAE recognizes that different practices may apply in different jurisdictions and Canada is such a jurisdiction. 3. The AASB may make amendments to ISAE 3000 with respect to requirements or guidance that do not fall within 1 or 2 above when it believes that there are circumstances particular to the Canadian environment where such amendments are required to serve the Canadian public interest and maintain the quality of auditing and reporting in Canada. 4. To the extent possible, amendments that are: (a) additions to ISAE 3000 will not be inconsistent with the current requirements or guidance in the ISAE; and (b) deletions from, or other amendments to, ISAE 3000 will be replaced by an appropriate alternative that achieves the objective of the deleted requirement. xvi | Exposure Draft – June 2014 APPENDIX B Requirements in Extant Assurance Standards Not Reflected in CSAE 3000 And CSAE 3001 DISPOSITION IN THE CSAEs OF REQUIREMENTS IN SECTIONS THE REQUIREMENTS REFERRED 5025, 5030, 5049, 5050, 8100 TO IN COLUMN 1 STANDARDS FOR ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5025 Paragraphs 5025.48-.50 describe concept of The CSAEs refer only to “materiality”. “significance”, noting that materiality and significance are synonymous concepts. Paragraph 5025.62(b) requires the The CSAEs do not specifically require the practitioner’s report to describe the objective of practitioner to determine the objective of the the engagement. Paragraph 5025.64 states engagement or to conclude against it. This that an engagement may have more than one matter is covered off indirectly by other objective. In such cases, the report would reporting requirements in paragraph C69 of provide a conclusion for each objective. CSAE 3000 and paragraph 70 of CSAE 3001 to describe, for example, the subject matter information/underlying subject matter, identify the applicable criteria and provide an informative summary of the work performed as the basis for the practitioner’s conclusion, and the conclusion itself. Also, paragraph A2 of CSAE 3001 explains that in a value-for-money (performance) audit, the practitioner would normally describe in the report the overall objective of the engagement and the related conclusion. QUALITY CONTROL PROCEDURES FOR ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5030 Paragraph 5030.15 enumerates the steps the The CSAEs do not present the same level of practitioner should take to form a conclusion on detail. The section on “ethical requirements” compliance with independence requirements. covers the notion of independence (see paragraphs C20, CA30-CA34 and CA60 of CSAE 3000 and paragraphs 22, A29-A32 and A57 of CSAE 3001). Paragraph 5030.40 deals with the The CSAEs do not contain a similar specific circumstance when a difference of opinion requirement. However, they state that the arises within the team, with those consulted, or engagement quality control reviewer considers between the practitioner and the engagement whether appropriate consultation has taken quality control reviewer. place on matters involving differences of opinion (see paragraphs 36(b) and A75 of CSAE 3000 and paragraphs 38(b) and A72 of CSAE 3001.) Paragraph 5030.45 provides a long list of The CSAEs address matters for the quality matters for the quality reviewer to consider. control reviewer to consider, but the description is not as detailed (see paragraphs 36(b) and A75 of CSAE 3000 and paragraphs 38(b) and A72 of CSAE 3001). Attestation and Direct Engagements | xvii DISPOSITION IN THE CSAEs OF REQUIREMENTS IN SECTIONS THE REQUIREMENTS REFERRED 5025, 5030, 5049, 5050, 8100 TO IN COLUMN 1 USE OF SPECIALISTS IN ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER FINANCIAL INFORMATION, Section 5049 Paragraph 5049 is very detailed, with 85 The CSAEs deal with these matters in a more paragraphs. summarized way in the following paragraphs: • • Work performed by a practitioner’s expert (see paragraphs 52 and A120-A124 of CSAE 3000 and paragraphs 54 and A114A118 of CSAE 3001); and Reference to a practitioner’s expert in the assurance report (see paragraphs 70 and A185-A187 of CSAE 3000 and paragraphs 71 and A176-A178 of CSAE 3001). USING THE WORK OF INTERNAL AUDIT IN ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5050 Paragraph 5050.31 deals with internal audit This notion was not carried forward in the staff providing direct assistance in an audit. CSAEs. GENERAL REVIEW STANDARDS, Section 8100 Paragraph 8100.15(iii) refers to an objective of The concept of “plausibility” is not reflected in assessing whether the information reported on the proposed CSAE. is plausible. Section 8100 encompasses reviews of financial The proposed CSAEs do not encompass statements, as well as other subject matters, reviews of financial statements within their within its scope. As a result, the reporting scope. While the reporting matters in Section requirements (paragraphs 8100.25-.27, 8100 are addressed in the proposed CSAEs, 8100.37, 8100.39, and 8100.41,) are very the reporting requirements therein are not as detailed and prescriptive, encompassing prescriptive or detailed. matters such as reporting on comparative figures. xviii | Exposure Draft – June 2014 APPENDIX C Current Structure of Assurance Handbook Assurance Engagements Other than Audits and Reviews of Financial Statements and Other Historical Financial Information Preface Glossary of Terms CSQC 1 Section 5021 Sections 5025, 5030, 5049, 5050 Audit Review Other Information Financial Statements, Other Historical Financial Information and Other Information CSAE 3410, CSAE 3416 Sections 5800, 5815, 5925, PS 5000, PS 5300, PS 5400, PS 6410, PS 6420 CSAE 3410 Sections 7050, 8100, 8200, 8500, 8600 OTHER CANADIAN STANDARDS – ASSOCIATION STANDARDS Section 5020 Section 5020 Attestation and Direct Engagements | xix Proposed Structure of Assurance Handbook Preface Glossary of Terms CSQC 1 CSAE 3000 Attestation Engagements Other than Audits or Reviews of Historical Financial Information CSAE 3410, CSAE 3416, Sections 5800, 5815, 5925, 8600 CSAE 3001 Direct Engagements PS 5000, PS 5300, PS 5400, PS 6410, PS 6420 Sections 5800, 5815, 8600 OTHER CANADIAN STANDARDS – ASSOCIATION STANDARDS Section 5020 xx | Exposure Draft – June 2014 Section 5020 APPENDIX D Comparison Between Attestation Engagements and Direct Engagements Objective Subject matter information Measurer/evaluator Applicable criteria Non-conformance with criteria Reporting Attestation Engagement To enhance the degree of confidence of the intended users about the subject matter information. Public statement or assertion made by the responsible party regarding its measurement or evaluation of the underlying subject matter (for example, a statement regarding the entity’s compliance with applicable criteria, and information related to such compliance). Party other than the practitioner. Party other than the practitioner decides on the applicable criteria to be used in preparing its subject matter information. The practitioner determines whether the applicable criteria are suitable for the engagement circumstances. Misstatement of the subject matter information. The practitioner’s report includes a conclusion regarding, for example, whether the subject matter information is, in all material respects, properly prepared, based on the applicable criteria. Direct Engagement To enhance the degree of confidence of the intended users about the practitioner’s conclusion regarding the outcome of the measurement or evaluation of an underlying subject matter against criteria. No public statement or assertion made by the responsible party. Practitioner. Practitioner normally decides on the applicable criteria to be used for the engagement and seeks agreement from the party responsible for the underlying subject matter that the criteria are suitable. Deviation of the underlying subject matter from the applicable criteria. The practitioner’s report includes a conclusion regarding whether the underlying subject matter conforms, in all material respects, with the applicable criteria. Attestation and Direct Engagements | xxi Examples of engagements Attestation Engagement Direct Engagement An audit of internal control over financial reporting that is integrated with a financial statement audit. A value-for-money (performance) audit of a public sector entity when the entity has made no public statement or assertion regarding such performance. An audit or review of an entity’s greenhouse gas emissions. An audit of a service organization’s description of its controls and the suitability of design and operating effectiveness of those controls. An audit or review of an entity’s statement or assertion to an external party regarding the entity’s compliance with an agreement, statute or regulation. xxii | Exposure Draft – June 2014 An audit or review of an entity’s compliance with an agreement, statute or regulation when the entity has made no statement or assertion to an external party regarding such compliance. PROPOSED CANADIAN STANDARD ON ASSURANCE ENGAGEMENTS 3000 ATTESTATION ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION (Effective for attestation engagements where the assurance report is dated on or after June 30, 2017) CONTENTS Paragraph Introduction..................................................................................... 1-4 Scope .............................................................................................. C5-8 Effective Date .................................................................................. C9 Objectives ....................................................................................... 10-11 Definitions ...................................................................................... C12-13 Requirements Conduct of an Attestation Engagement in Accordance with CSAEs 14-19 Ethical Requirements ...................................................................... C20 Acceptance and Continuance .......................................................... 21-30 Quality Control ................................................................................. 31-36 Professional Skepticism, Professional Judgment, and Assurance Skills and Techniques ................................................. 37-39 Planning and Performing the Engagement ..................................... 40-47 Obtaining Evidence ......................................................................... 48-60 Subsequent Events ......................................................................... 61 Other Information ............................................................................ 62 Description of Applicable Criteria .................................................... 63 Forming the Assurance Conclusion ................................................ 64-66 Preparing the Assurance Report ..................................................... 67-71 Unmodified and Modified Conclusions ............................................ 72-77 Other Communication Responsibilities ........................................... 78 Documentation ................................................................................ 79-83 Attestation and Direct Engagements | 1 Paragraph Application and Other Explanatory Material Introduction ...................................................................................... A1 Objectives ........................................................................................ A2 Definitions ........................................................................................ A3-A20 Conduct of an Attestation Engagement in Accordance with CSAEs .................................................................................. A21-A29 Ethical Requirements ....................................................................... CA30-CA34 Acceptance and Continuance ......................................................... A35-A59 Quality Control ................................................................................. CA60-A75 Professional Skepticism and Professional Judgment ..................... A76-A85 Planning and Performing the Engagement ..................................... A86-A107 Obtaining Evidence ......................................................................... A108-A139 Subsequent Events ......................................................................... A140-A141 Other Information ............................................................................ A142 Description of the Applicable Criteria .............................................. A143-A145 Forming the Assurance Conclusion ................................................ A146-A157 Preparing the Assurance Report ..................................................... A158-A187 Unmodified and Modified Conclusions ............................................ A188-A191 Other Communication Responsibilities ........................................... A192 Documentation ................................................................................ A193-A200 Appendix 1: Roles and Responsibilities Appendix 2: Illustrations of Differences between Attestation Engagements and Direct Engagements 2 | Exposure Draft – June 2014 Introduction 1. This Canadian Standard on Assurance Engagements (CSAE) deals with attestation engagements other than audits or reviews of historical financial information, which are dealt with in Canadian Auditing Standards (CASs) and 1 Sections 8200 and 8500, respectively. (Ref: Para. A21-A22) C2. Assurance engagements include both attestation engagements, in which a party other than the practitioner measures or evaluates the underlying subject matter against the criteria, and direct engagements, in which the practitioner measures or evaluates the underlying subject matter against the criteria. This CSAE contains requirements and application and other explanatory material specific to reasonable and limited assurance attestation engagements. CSAE 2 3001 deals with direct engagements. CSAE 3000 and CSAE 3001 have the same status and authority; each deals with a different category of engagement. When appropriate, references to an “assurance engagement” in ISAE 3000 have been changed to “attestation engagement” in this CSAE. Appendix 2 provides illustrations of differences between attestation engagements and direct engagements. [ISAE 3000, paragraph 2 does not contain the sentences referring to CSAE 3001. The last sentence in paragraph 2 states: This ISAE may also be applied to reasonable and limited assurance direct engagements, adapted and supplemented as necessary in the engagement circumstances.] C3. This CSAE is premised on the basis that: (a) The members of the engagement team and the engagement quality control reviewer (for those engagements where one has been appointed) are subject to relevant rules of professional conduct/code of ethics in Canada applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements in law or regulation, that are at least as demanding; and (Ref: Para. CA30-CA34) [In ISAE 3000, this paragraph states: The members of the engagement team and the engagement quality control reviewer (for those engagements where one has been appointed) are subject to Parts A and B of the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA Code) related to assurance engagements, or other professional requirements, or requirements in law or regulation, that are at least as demanding; and] 1 2 PUBLIC ACCOUNTANTS REVIEW OF FINANCIAL STATEMENTS, Section 8200, and REVIEWS OF FINANCIAL INFORMATION OTHER THAN FINANCIAL STATEMENTS, Section 8500 CSAE 3001, Direct Engagements Attestation and Direct Engagements | 3 (b) The practitioner who is performing the engagement is a member of a firm 3 that is subject to CSQC 1, or other professional requirements, or requirements in law or regulation, regarding the firm’s responsibility for its system of quality control, that are at least as demanding as CSQC 1. (Ref: Para. A61-A66) 4. Quality control within firms that perform assurance engagements, and compliance with ethical principles, including independence requirements, are widely recognized as being in the public interest and an integral part of highquality assurance engagements. Professional accountants in public practice will be familiar with such requirements. If a competent practitioner other than a professional accountant in public practice chooses to represent compliance with this or other CSAEs, it is important to recognize that this CSAE includes requirements that reflect the premise in the preceding paragraph. Scope C5. This CSAE covers attestation engagements other than audits or reviews of historical financial information. Where a subject-matter-specific CSAE is relevant to the subject matter of a particular attestation engagement, that CSAE applies in addition to this CSAE. (Ref: Para. A21-A22) [In ISAE 3000, this paragraph states: This ISAE covers assurance engagements other than audits or reviews of historical financial information, as described in the International Framework for Engagements (Assurance Framework). Where a subject-matterspecific ISAE is relevant to the subject matter of a particular engagement, that ISAE applies in addition to this ISAE.] 6. Not all engagements performed by practitioners are assurance engagements. Other frequently performed engagements that are not assurance engagements, as defined by paragraph C12C(a) (and, therefore, are not covered by the CSAEs) include: (a) Engagements covered by standards dealing with related services engagements such as agreed-upon procedure and compilation engagements; (b) The preparation of tax returns where no assurance conclusion is expressed; and (c) Consulting (or advisory) engagements, such as management and tax consulting. (Ref: Para. A1) 7. An assurance engagement performed under the CSAEs may be part of a larger engagement. In such circumstances, the CSAEs are relevant only to the assurance portion of the engagement. 3 4 | Exposure Draft – June 2014 CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements 8. The following engagements, which may be consistent with the description in paragraph C12C(a), are not considered assurance engagements in terms of the CSAEs: (a) Engagements to testify in legal proceedings regarding accounting, auditing, taxation or other matters; and (b) Engagements that include professional opinions, views or wording from which a user may derive some assurance, if all of the following apply: (i) Those opinions, views or wording are merely incidental to the overall engagement; (ii) Any written report issued is expressly restricted for use by only the intended users specified in the report; (iii) Under a written understanding with the specified intended users, the engagement is not intended to be an assurance engagement; and (iv) The engagement is not represented as an assurance engagement in the professional accountant’s report. Effective Date C9. This CSAE is effective for attestation engagements where the assurance report is dated on or after June 30, 2017. Objectives 10. In conducting an attestation engagement, the objectives of the practitioner are: (a) To obtain either reasonable assurance or limited assurance, as appropriate, about whether the subject matter information is free from material misstatement; (b) To express a conclusion regarding the outcome of the measurement or evaluation of the underlying subject matter through a written report that conveys either a reasonable assurance or a limited assurance conclusion and describes the basis for the conclusion; (Ref: Para. A2) and (c) To communicate further as required by this CSAE and any other relevant CSAEs. 11. In all cases when reasonable assurance or limited assurance, as appropriate, cannot be obtained and a qualified conclusion in the practitioner’s assurance report is insufficient in the circumstances for purposes of reporting to the intended users, this CSAE requires that the practitioner disclaim a conclusion or withdraw (or resign) from the engagement, where withdrawal is possible under applicable law or regulation. Attestation and Direct Engagements | 5 Definitions C12. For purposes of this CSAE and other CSAEs, unless indicated to the contrary, the following terms have the meanings attributed below. (Ref: Para. A27) C(a) Assurance engagement – An engagement in which a practitioner aims to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the measurement or evaluation of an underlying subject matter against criteria. Each assurance engagement is classified on two dimensions: (Ref: Para. A3) [In ISAE 3000, this paragraph states: An engagement in which a practitioner aims to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information (that is, the outcome of the measurement or evaluation of an underlying subject matter against criteria). Each assurance engagement is classified on two dimensions:] (i) Either a reasonable assurance engagement or a limited assurance engagement: a. Reasonable assurance engagement – An assurance engagement in which the practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the practitioner’s conclusion. The practitioner’s conclusion is expressed in a form that conveys the practitioner’s opinion on the outcome of the measurement or evaluation of the underlying subject matter against criteria. A reasonable assurance engagement may be referred to as an audit engagement. [In ISAE 3000, the last sentence is not included.] b. Limited assurance engagement – An engagement in which the practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause the practitioner to believe: in an attestation engagement, the subject matter information is materially misstated; or in a direct engagement, that the underlying subject matter does not conform, in all material respects, with the applicable criteria. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the practitioner’s professional 6 | Exposure Draft – June 2014 judgment, meaningful. To be meaningful, the level of assurance obtained by the practitioner is likely to enhance the intended users’ confidence about the matters being reported on to a degree that is clearly more than inconsequential. A limited assurance engagement may be referred to as a review engagement. (Ref: Para. A3-A7) [In ISAE 3000, this paragraph states: Limited assurance engagement – An assurance engagement in which the practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause the practitioner to believe the subject matter information is materially misstated. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the practitioner’s professional judgment, meaningful. To be meaningful, the level of assurance obtained by the practitioner is likely to enhance the intended users’ confidence about the subject matter information to a degree that is clearly more than inconsequential.] (ii) Either an attestation engagement or a direct engagement: (Ref: Para. CA8) a. Attestation engagement – An assurance engagement in which a party other than the practitioner measures or evaluates the underlying subject matter against the criteria. A party other than the practitioner also often presents the resulting subject matter information in a report or statement. In some cases, however, the subject matter information may be presented by the practitioner in the assurance report. In an attestation engagement, the practitioner’s conclusion addresses whether the subject matter information is free from material misstatement. The practitioner’s conclusion may be phrased in terms of: (Ref: Para. A178, A180) (i) The underlying subject matter and the applicable criteria; (ii) The subject matter information and the applicable criteria; or (iii) A statement made by the appropriate party. b. Direct engagement – An assurance engagement in which the practitioner measures or evaluates the underlying subject matter against the applicable criteria. In a direct engagement, the practitioner’s conclusion addresses the reported outcome of the Attestation and Direct Engagements | 7 measurement or evaluation of the underlying subject matter against the criteria. [In ISAE 3000, this paragraph states: Direct engagement – An assurance engagement in which the practitioner measures or evaluates the underlying subject matter against the applicable criteria and the practitioner presents the resulting subject matter information as part of, or accompanying, the assurance report. In a direct engagement, the practitioner’s conclusion addresses the reported outcome of the measurement or evaluation of the underlying subject matter against the criteria.] (b) Assurance skills and techniques – Those planning, evidence gathering, evidence evaluation, communication and reporting skills and techniques demonstrated by an assurance practitioner that are distinct from expertise in the underlying subject matter of any particular assurance engagement or its measurement or evaluation. (Ref: Para. A9) (c) Criteria – The benchmarks used to measure or evaluate the underlying subject matter. The “applicable criteria” are the criteria used for the particular engagement. (Ref: Para. A10) (d) Engagement circumstances – The broad context defining the particular engagement, which includes: the terms of the engagement; whether it is a reasonable assurance engagement or a limited assurance engagement; the characteristics of the underlying subject matter; the measurement or evaluation criteria; the information needs of the intended users; relevant characteristics of the responsible party, the measurer or evaluator, and the engaging party and their environment; and other matters, for example, events, transactions, conditions and practices, that may have a significant effect on the engagement. (e) Engagement partner – The partner or other person in the firm who is responsible for the engagement and its performance, and for the assurance report that is issued on behalf of the firm, and who, where required, has the appropriate authority from a professional, legal or regulatory body. “Engagement partner” should be read as referring to its public sector equivalents where relevant. (f) Engagement risk – The risk that the practitioner expresses an inappropriate conclusion when the subject matter information is materially misstated. (Ref: Para. A11-A14) (g) Engaging party – The party(ies) that engages the practitioner to perform the assurance engagement. (Ref: Para. A15) (h) Engagement team – All partners and staff performing the engagement, and any individuals engaged by the firm or a network firm who perform 8 | Exposure Draft – June 2014 procedures on the engagement. This excludes a practitioner’s external expert engaged by the firm or a network firm. (i) Evidence – Information used by the practitioner in arriving at the practitioner’s conclusion. Evidence includes both information contained in relevant information systems, if any, and other information. For purposes of the CSAEs: (Ref: Para. A146-A152) (i) Sufficiency of evidence is the measure of the quantity of evidence. (ii) Appropriateness of evidence is the measure of the quality of evidence. (j) Firm – A sole practitioner, partnership or corporation or other entity of individual practitioners. “Firm” should be read as referring to its public sector equivalents where relevant. (k) Historical financial information – Information expressed in financial terms in relation to a particular entity, derived primarily from that entity’s accounting system, about economic events occurring in past time periods or about economic conditions or circumstances at points in time in the past. (l) Internal audit function – A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes. (m) Intended users – The individual(s) or organization(s), or group(s) thereof that the practitioner expects will use the assurance report. In some cases, there may be intended users other than those to whom the assurance report is addressed. (Ref: Para. A16-A18, A37) (n) Measurer or evaluator – The party(ies) who measures or evaluates the underlying subject matter against the criteria. The measurer or evaluator possesses expertise in the underlying subject matter. (Ref: Para. A37, A39) (o) Misstatement – A difference between the subject matter information and the appropriate measurement or evaluation of the underlying subject matter in accordance with the criteria. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. (p) Misstatement of fact (with respect to other information) – Other information that is unrelated to matters appearing in the subject matter information or the assurance report that is incorrectly stated or presented. A material misstatement of fact may undermine the credibility of the document containing the subject matter information. (q) Other information – Information (other than the subject matter information and the assurance report thereon) which is included, either by law, Attestation and Direct Engagements | 9 regulation or custom, in a document containing the subject matter information and the assurance report thereon. (r) Practitioner – The individual(s) conducting the engagement (usually the engagement partner or other members of the engagement team, or, as applicable, the firm). Where this CSAE expressly intends that a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “practitioner” is used. (Ref: Para. A37) (s) Practitioner’s expert – An individual or organization possessing expertise in a field other than assurance, whose work in that field is used by the practitioner to assist the practitioner in obtaining sufficient appropriate evidence. A practitioner’s expert may be either a practitioner’s internal expert (who is a partner or staff, including temporary staff, of the practitioner’s firm or a network firm), or a practitioner’s external expert. (t) Professional judgment – The application of relevant training, knowledge and experience, within the context provided by assurance and ethical standards, in making informed decisions about the courses of action that are appropriate in the circumstances of the engagement. (u) Professional skepticism – An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement, and a critical assessment of evidence. (v) Responsible party – The party(ies) responsible for the underlying subject matter. (Ref: Para. A37) (w) Risk of material misstatement – The risk that the subject matter information is materially misstated prior to the engagement. (x) Subject matter information – The outcome of the measurement or evaluation of the underlying subject matter against the criteria; that is, the information that results from applying the criteria to the underlying subject matter. (Ref: Para. A19) (y) Underlying subject matter – The phenomenon that is measured or evaluated by applying criteria. 13. For the purposes of this CSAE and other CSAEs, references to “appropriate party(ies)” should be read hereafter as “the responsible party, the measurer or evaluator, or the engaging party, as appropriate.” (Ref: Para. A20, A37) 10 | Exposure Draft – June 2014 Requirements Conduct of an Attestation Engagement in Accordance with CSAEs Complying with Standards that Are Relevant to the Engagement 14. The practitioner shall comply with this CSAE and any subject-matter-specific CSAEs relevant to the engagement. 15. The practitioner shall not represent compliance with this or any other CSAE unless the practitioner has complied with the requirements of this CSAE and any other CSAE relevant to the engagement. (Ref: Para. A21-A22) Text of a CSAE 16. The practitioner shall have an understanding of the entire text of a CSAE, including its application and other explanatory material, to understand its objectives and to apply its requirements properly. (Ref: Para. A23-A28) Complying with Relevant Requirements 17. Subject to the following paragraph, the practitioner shall comply with each requirement of this CSAE and of any relevant subject-matter-specific CSAE unless, in the circumstances of the engagement the requirement is not relevant because it is conditional and the condition does not exist. Requirements that apply to only limited assurance or reasonable assurance engagements have been presented in a columnar format with the letter “L” (limited assurance) or “R” (reasonable assurance) after the paragraph number. (Ref: Para. A29) 18. In exceptional circumstances, the practitioner may judge it necessary to depart from a relevant requirement in a CSAE. In such circumstances, the practitioner shall perform alternative procedures to achieve the aim of that requirement. The need for the practitioner to depart from a relevant requirement is expected to arise only where the requirement is for a specific procedure to be performed and, in the specific circumstances of the engagement, that procedure would be ineffective in achieving the aim of the requirement. Failure to Achieve an Objective 19. If an objective in this CSAE or a relevant subject-matter-specific CSAE cannot be achieved, the practitioner shall evaluate whether this requires the practitioner to modify the practitioner’s conclusion or withdraw from the engagement (where withdrawal is possible under applicable law or regulation). Failure to achieve an objective in a relevant CSAE represents a significant matter requiring documentation in accordance with paragraph 79 of this CSAE. Ethical Requirements C20. The practitioner shall comply with relevant rules of professional conduct/code of ethics in Canada, applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or Attestation and Direct Engagements | 11 other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. (Ref: Para. CA30-CA34, CA60) [In ISAE 3000, paragraph 20 states: The practitioner shall comply with Parts A and B of the IESBA Code related to assurance engagements, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding.] Acceptance and Continuance 21. The engagement partner shall be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and assurance engagements have been followed by the firm, and shall determine that conclusions reached in this regard are appropriate. 22. The practitioner shall accept or continue an attestation engagement only when: (Ref: Para. CA30-CA34) (a) The practitioner has no reason to believe that relevant ethical requirements, including independence, will not be satisfied; (b) The practitioner is satisfied that those persons who are to perform the engagement collectively have the appropriate competence and capabilities (see also paragraph 32); and (c) The basis upon which the engagement is to be performed has been agreed, through: (i) Establishing that the preconditions for an attestation engagement are present (see also paragraphs 24-26); and (ii) Confirming that there is a common understanding between the practitioner and the engaging party of the terms of the engagement, including the practitioner’s reporting responsibilities. 23. If the engagement partner obtains information that would have caused the firm to decline the engagement had that information been available earlier, the engagement partner shall communicate that information promptly to the firm, so that the firm and the engagement partner can take the necessary action. Preconditions for the Attestation Engagement 24. In order to establish whether the preconditions for an attestation engagement are present, the practitioner shall, on the basis of a preliminary knowledge of the engagement circumstances and discussion with the appropriate party(ies), determine whether: (Ref: Para. A35-A36) (a) The roles and responsibilities of the appropriate parties are suitable in the circumstances; and (Ref: Para. A37-A39) 12 | Exposure Draft – June 2014 (b) The engagement exhibits all of the following characteristics: (i) The underlying subject matter is appropriate; (Ref: Para. A40-A44) (ii) The criteria that the practitioner expects to be applied in the preparation of the subject matter information are suitable for the engagement circumstances, including that they exhibit the following characteristics: (Ref: Para. A45-A50) a. Relevance. b. Completeness. c. Reliability. d. Neutrality. e. Understandability. (iii) The criteria that the practitioner expects to be applied in the preparation of the subject matter information will be available to the intended users; (Ref: Para. A51-A52) (iv) The practitioner expects to be able to obtain the evidence needed to support the practitioner’s conclusion; (Ref: Para. A53-A55) (v) The practitioner’s conclusion, in the form appropriate to either a reasonable assurance engagement or a limited assurance engagement, is to be contained in a written report; and (vi) A rational purpose including, in the case of a limited assurance engagement, that the practitioner expects to be able to obtain a meaningful level of assurance. (Ref: Para. A56) 25. If the preconditions for an attestation engagement are not present, the practitioner shall discuss the matter with the engaging party. If changes cannot be made to meet the preconditions, the practitioner shall not accept the engagement as an assurance engagement unless required by law or regulation to do so. However, an engagement conducted under such circumstances does not comply with CSAEs. Accordingly, the practitioner shall not include any reference within the assurance report to the engagement having been conducted in accordance with this CSAE or any other CSAEs. Limitation on Scope Prior to Acceptance of the Engagement 26. If the engaging party imposes a limitation on the scope of the practitioner’s work in the terms of a proposed attestation engagement such that the practitioner believes the limitation will result in the practitioner disclaiming a conclusion on the subject matter information, the practitioner shall not accept such an Attestation and Direct Engagements | 13 engagement as an assurance engagement, unless required by law or regulation to do so. (Ref: Para. A155(c)) Agreeing on the Terms of the Engagement 27. The practitioner shall agree the terms of the engagement with the engaging party. The agreed terms of the engagement shall be specified in sufficient detail in an engagement letter or other suitable form of written agreement, written confirmation, or in law or regulation. (Ref: Para. A57-A58) 28. On recurring engagements, the practitioner shall assess whether circumstances require the terms of the engagement to be revised and whether there is a need to remind the engaging party of the existing terms of the engagement. Acceptance of a Change in the Terms of the Engagement 29. The practitioner shall not agree to a change in the terms of the engagement where there is no reasonable justification for doing so. If such a change is made, the practitioner shall not disregard evidence that was obtained prior to the change. (Ref: Para. A59) Assurance Report Prescribed by Law or Regulation 30. In some cases, law or regulation of the relevant jurisdiction prescribes the layout or wording of the assurance report. In these circumstances, the practitioner shall evaluate: (a) Whether intended users might misunderstand the assurance conclusion; and (b) If so, whether additional explanation in the assurance report can mitigate possible misunderstanding. If the practitioner concludes that additional explanation in the assurance report cannot mitigate possible misunderstanding, the practitioner shall not accept the engagement, unless required by law or regulation to do so. An engagement conducted in accordance with such law or regulation does not comply with CSAEs. Accordingly, the practitioner shall not include any reference within the assurance report to the engagement having been conducted in accordance with this CSAE or any other CSAE(s) (see also paragraph 71). Quality Control Characteristics of the Engagement Partner 31. The engagement partner shall: (a) Be a member of a firm that applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1; (Ref: Para. CA60-A66) 14 | Exposure Draft – June 2014 (b) Have competence in assurance skills and techniques developed through extensive training and practical application; and (Ref: Para. CA60) (c) Have sufficient competence in the underlying subject matter and its measurement or evaluation to accept responsibility for the assurance conclusion. (Ref: Para. A67-CA68) Assignment of the Team 32. The engagement partner shall: (Ref: Para. A69) (a) Be satisfied that those persons who are to perform the engagement collectively have the appropriate competence and capabilities to: (Ref: Para. A70-A71) (i) Perform the engagement in accordance with relevant standards and applicable legal and regulatory requirements; and (ii) Enable an assurance report that is appropriate in the circumstances to be issued. (b) Be satisfied that the practitioner will be able to be involved in the work of: (i) A practitioner’s expert where the work of that expert is to be used; and (Ref: Para. A70-A71) (ii) Another practitioner, not part of the engagement team, where the assurance work of that practitioner is to be used, (Ref: Para. A72-A73) to an extent that is sufficient to accept responsibility for the assurance conclusion on the subject matter information. Responsibilities of the Engagement Partner 33. The engagement partner shall take responsibility for the overall quality on the engagement. This includes responsibility for: (a) Appropriate procedures being performed regarding the acceptance and continuance of client relationships and engagements; (b) The engagement being planned and performed (including appropriate direction and supervision) to comply with professional standards and applicable legal and regulatory requirements; (c) Reviews being performed in accordance with the firm’s review policies and procedures, and reviewing the engagement documentation on or before the date of the assurance report; (Ref: Para. A74) (d) Appropriate engagement documentation being maintained to provide evidence of achievement of the practitioner’s objectives, and that the Attestation and Direct Engagements | 15 engagement was performed in accordance with relevant CSAEs and relevant legal and regulatory requirements; and (e) Appropriate consultation being undertaken by the engagement team on difficult or contentious matters. 34. Throughout the engagement, the engagement partner shall remain alert, through observation and making inquiries as necessary, for evidence of noncompliance with relevant ethical requirements by members of the engagement team. If matters come to the engagement partner’s attention through the firm’s system of quality control or otherwise that indicate that members of the engagement team have not complied with relevant ethical requirements, the engagement partner, in consultation with others in the firm, shall determine the appropriate action. 35. The engagement partner shall consider the results of the firm’s monitoring process as evidenced in the latest information circulated by the firm and, if applicable, other network firms and whether deficiencies noted in that information may affect the assurance engagement. Engagement Quality Control Review 36. For those engagements, if any, for which a quality control review is required by law or regulation or for which the firm has determined that an engagement quality control review is required: (a) The engagement partner shall take responsibility for discussing significant matters arising during the engagement with the engagement quality control reviewer, and not date the assurance report until completion of that review; and (b) The engagement quality control reviewer shall perform an objective evaluation of the significant judgments made by the engagement team, and the conclusions reached in formulating the assurance report. This evaluation shall involve: (Ref: Para. A75) (i) Discussion of significant matters with the engagement partner; (ii) Review of the subject matter information and the proposed assurance report; (iii) Review of selected engagement documentation relating to the significant judgments the engagement team made and the conclusions it reached; and (iv) Evaluation of the conclusions reached in formulating the assurance report and consideration of whether the proposed report is appropriate. 16 | Exposure Draft – June 2014 Professional Skepticism, Professional Judgment, and Assurance Skills and Techniques 37. The practitioner shall plan and perform an engagement with professional skepticism, recognizing that circumstances may exist that cause the subject matter information to be materiality misstated. (Ref: Para. A76-A80) 38. The practitioner shall exercise professional judgment in planning and performing an attestation engagement, including determining the nature, timing and extent of procedures. (Ref: Para. A81-A85) 39. The practitioner shall apply assurance skills and techniques as part of an iterative, systematic engagement process. Planning and Performing the Engagement Planning 40. The practitioner shall plan the engagement so that it will be performed in an effective manner, including setting the scope, timing and direction of the engagement, and determining the nature, timing and extent of planned procedures that are required to be carried out in order to achieve the objective of the practitioner. (Ref: Para. A86-A89) 41. The practitioner shall determine whether the criteria are suitable for the engagement circumstances, including that they exhibit the characteristics identified in paragraph 24(b)(ii). 42. If it is discovered after the engagement has been accepted that one or more preconditions for an assurance engagement is not present, the practitioner shall discuss the matter with the appropriate party(ies), and shall determine: (a) Whether the matter can be resolved to the practitioner’s satisfaction; (b) Whether it is appropriate to continue with the engagement; and (c) Whether and, if so, how to communicate the matter in the assurance report. 43. If it is discovered after the engagement has been accepted that some or all of the applicable criteria are unsuitable or some or all of the underlying subject matter is not appropriate for an assurance engagement, the practitioner shall consider withdrawing from the engagement, if withdrawal is possible under applicable law or regulation. If the practitioner continues with the engagement, the practitioner shall express a qualified or adverse conclusion, or disclaimer of conclusion, as appropriate in the circumstances. (Ref: Para. A90-A91) Materiality 44. The practitioner shall consider materiality when: (Ref: Para. A92-A100) (a) Planning and performing the assurance engagement, including when determining the nature, timing and extent of procedures; and Attestation and Direct Engagements | 17 (b) Evaluating whether the subject matter information is free from material misstatement. Understanding the Underlying Subject Matter and Other Engagement Circumstances 45. The practitioner shall make inquiries of the appropriate party(ies) regarding: (a) Whether they have knowledge of any actual, suspected or alleged intentional misstatement or non-compliance with laws and regulations affecting the subject matter information; (Ref: Para. A101) (b) Whether the responsible party has an internal audit function and, if so, make further inquiries to obtain an understanding of the activities and main findings of the internal audit function with respect to the subject matter information; and (c) Whether the responsible party has used any experts in the preparation of the subject matter information. Limited Assurance Reasonable Assurance 46L. The practitioner shall obtain an understanding of the underlying subject matter and other engagement circumstances sufficient to: 46R. The practitioner shall obtain an understanding of the underlying subject matter and other engagement circumstances sufficient to: (a) Enable the practitioner to identify areas where a material misstatement of the subject matter information is likely to arise; and (a) Enable the practitioner to identify and assess the risks of material misstatement in the subject matter information; and (b) Thereby, provide a basis for designing and performing procedures to address the areas identified in paragraph 46L(a) and to obtain limited assurance to support the practitioner’s conclusion. (Ref: Para. A101-A104, A107) (b) Thereby, provide a basis for designing and performing procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. (Ref: Para. A101-A103, A107) 47L. In obtaining an understanding of the underlying subject matter and other engagement circumstances under paragraph 46L, the practitioner shall consider the process used to prepare the subject matter information. (Ref: Para. A106) 18 | Exposure Draft – June 2014 47R. In obtaining an understanding of the underlying subject matter and other engagement circumstances under paragraph 46R, the practitioner shall obtain an understanding of internal control over the preparation of the subject matter information relevant to the engagement. This includes evaluating the design of those controls relevant to the engagement and determining whether they have been implemented by performing procedures in addition to inquiry of the personnel responsible for the subject matter information. (Ref: Para. A105) Obtaining Evidence Risk Consideration and Responses to Risks Limited Assurance Reasonable Assurance 48L. Based on the practitioner’s understanding (see paragraph 46L), the practitioner shall: (Ref: Para. A108-A112) 48R. (a) Identify areas where a material misstatement of the subject matter information is likely to arise; (b) Design and perform procedures to address the areas identified in paragraph 48L(a) and to obtain limited assurance to support the practitioner’s conclusion. Based on the practitioner’s understanding (see paragraph 46R), the practitioner shall: (Ref: Para. A108A110) (a) Identify and assess the risks of material misstatement in the subject matter information; and (b) Design and perform procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. In addition to any other procedures on the subject matter information that are appropriate in the engagement circumstances, the practitioner’s procedures shall include obtaining sufficient appropriate evidence as to the operating effectiveness of relevant controls over the subject matter information when: (i) The practitioner’s assessment of the risks of material misstatement includes an expectation that controls are operating effectively; or (ii) Procedures other than testing of controls cannot alone provide sufficient appropriate evidence. Determining Whether Additional Procedures Are Necessary in a Limited Assurance Engagement 49L. If the practitioner becomes aware of a matter(s) that causes the practitioner to believe that the subject matter information may be materially misstated, the practitioner shall design and perform additional procedures to obtain further evidence until the practitioner is able to: (Ref: Para. A112-A117) (a) Conclude that the matter is not likely to cause the subject matter information to be materially misstated; or Revision of Risk Assessment in a Reasonable Assurance Engagement 49R. The practitioner’s assessment of the risks of material misstatement in the subject matter information may change during the course of the engagement as additional evidence is obtained. In circumstances where the practitioner obtains evidence that is inconsistent with the evidence on which the practitioner originally based the assessment of the risks of material misstatement, the practitioner shall revise the assessment and modify the planned procedures accordingly. (Ref: Para. A112) (b) Determine that the matter(s) causes the subject matter information to be materially misstated. Attestation and Direct Engagements | 19 50. When designing and performing procedures, the practitioner shall consider the relevance and reliability of the information to be used as evidence. If: (a) Evidence obtained from one source is inconsistent with that obtained from another; or (b) The practitioner has doubts about the reliability of information to be used as evidence, the practitioner shall determine what changes or additions to procedures are necessary to resolve the matter, and shall consider the effect of the matter, if any, on other aspects of the engagement. 51. The practitioner shall accumulate uncorrected misstatements identified during the engagement other than those that are clearly trivial. (Ref: Para. A118-A119) Work Performed by a Practitioner’s Expert 52. When the work of a practitioner’s expert is to be used, the practitioner shall also: (Ref: Para. A120-A124) (a) Evaluate whether the practitioner’s expert has the necessary competence, capabilities and objectivity for the practitioner’s purposes. In the case of a practitioner’s external expert, the evaluation of objectivity shall include inquiry regarding interests and relationships that may create a threat to that expert’s objectivity; (Ref: Para. A125-A128) (b) Obtain a sufficient understanding of the field of expertise of the practitioner’s expert; (Ref: Para. A129-A130) (c) Agree with the practitioner’s expert on the nature, scope and objectives of that expert’s work; and (Ref: Para. A131-A132) (d) Evaluate the adequacy of the practitioner’s expert’s work for the practitioner’s purposes. (Ref: Para. A133-A134) Work Performed by Another Practitioner, a Responsible Party’s or Measurer’s or Evaluator’s Expert, or an Internal Auditor (Ref: Para. A135) 53. When the work of another practitioner is to be used, the practitioner shall evaluate whether that work is adequate for the practitioner’s purposes. 54. If information to be used as evidence has been prepared using the work of a responsible party’s or a measurer’s or evaluator’s expert, the practitioner shall, to the extent necessary having regard to the significance of that expert’s work for the practitioner’s purposes: (a) Evaluate the competence, capabilities and objectivity of that expert; (b) Obtain an understanding of the work of that expert; and 20 | Exposure Draft – June 2014 (c) Evaluate the appropriateness of that expert’s work as evidence. 55. If the practitioner plans to use the work of the internal audit function, the practitioner shall evaluate the following: (a) The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors; (b) The level of competence of the internal audit function; (c) Whether the internal audit function applies a systematic and disciplined approach, including quality control; and (d) Whether the work of the internal audit function is adequate for the purposes of the engagement. Written Representations 56. The practitioner shall request from the appropriate party(ies) a written representation: (a) That it has provided the practitioner with all information of which the appropriate party(ies) is aware that is relevant to the engagement. (Ref: Para. A54-A55 and A136-A138) (b) Confirming the measurement or evaluation of the underlying subject matter against the applicable criteria, including that all relevant matters are reflected in the subject matter information. 57. If, in addition to required representations, the practitioner determines that it is necessary to obtain one or more written representations to support other evidence relevant to the subject matter information, the practitioner shall request such other written representations. 58. When written representations relate to matters that are material to the subject matter information, the practitioner shall: (a) Evaluate their reasonableness and consistency with other evidence obtained, including other representations (oral or written); and (b) Consider whether those making the representations can be expected to be well informed on the particular matters. 59. The date of the written representations shall be as near as practicable to, but not after, the date of the assurance report. Requested Written Representations Not Provided or Not Reliable 60. If one or more of the requested written representations are not provided or the practitioner concludes that there is sufficient doubt about the competence, Attestation and Direct Engagements | 21 integrity, ethical values, or diligence of those providing the written representations, or that the written representations are otherwise not reliable, the practitioner shall: (Ref: Para. A139) (a) Discuss the matter with the appropriate party(ies); (b) Reevaluate the integrity of those from whom the representations were requested or received and evaluate the effect that this may have on the reliability of representations (oral or written) and evidence in general; and (c) Take appropriate actions, including determining the possible effect on the conclusion in the assurance report. Subsequent Events 61. When relevant to the engagement, the practitioner shall consider the effect on the subject matter information and on the assurance report of events up to the date of the assurance report, and shall respond appropriately to facts that become known to the practitioner after the date of the assurance report, that, had they been known to the practitioner at that date, may have caused the practitioner to amend the assurance report. The extent of consideration of subsequent events depends on the potential for such events to affect the subject matter information and to affect the appropriateness of the practitioner’s conclusion. However, the practitioner has no responsibility to perform any procedures regarding the subject matter information after the date of the assurance report. (Ref: Para. A140-A141) Other Information 62. When documents containing the subject matter information and the assurance report thereon include other information, the practitioner shall read that other information to identify material inconsistencies, if any, with the subject matter information or the assurance report and, if on reading that other information, the practitioner: (Ref: Para. A142) (a) Identifies a material inconsistency between that other information and the subject matter information or the assurance report; or (b) Becomes aware of a material misstatement of fact in that other information that is unrelated to matters appearing in the subject matter information or the assurance report, the practitioner shall discuss the matter with the appropriate party(ies) and take further action as appropriate. Description of Applicable Criteria 63. The practitioner shall evaluate whether the subject matter information adequately refers to or describes the applicable criteria. (Ref: Para. A143-A145) 22 | Exposure Draft – June 2014 Forming the Assurance Conclusion 64. The practitioner shall evaluate the sufficiency and appropriateness of the evidence obtained in the context of the engagement and, if necessary in the circumstances, attempt to obtain further evidence. The practitioner shall consider all relevant evidence, regardless of whether it appears to corroborate or to contradict the measurement or evaluation of the underlying subject matter against the applicable criteria. If the practitioner is unable to obtain necessary further evidence, the practitioner shall consider the implications for the practitioner’s conclusion in paragraph 65. (Ref: Para. A146-A152) 65. The practitioner shall form a conclusion about whether the subject matter information is free from material misstatement. In forming that conclusion, the practitioner shall consider the practitioner’s conclusion in paragraph 64 regarding the sufficiency and appropriateness of evidence obtained and an evaluation of whether uncorrected misstatements are material, individually or in the aggregate. (Ref: Para. A118-A119 and A153-A154) 66. If the practitioner is unable to obtain sufficient appropriate evidence, a scope limitation exists and the practitioner shall express a qualified conclusion, disclaim a conclusion, or withdraw from the engagement, where withdrawal is possible under applicable law or regulation, as appropriate. (Ref: Para. A155A157) Preparing the Assurance Report 67. The assurance report shall be in writing and shall contain a clear expression of the practitioner’s conclusion about the subject matter information. (Ref: Para. A2, A158-A160) 68. The practitioner’s conclusion shall be clearly separated from information or explanations that are not intended to affect the practitioner’s conclusion, including any Emphasis of Matter, Other Matter, findings related to particular aspects of the engagements, recommendations or additional information included in the assurance report. The wording used shall make it clear that an Emphasis of Matter, Other Matter, findings, recommendations or additional information is not intended to detract from the practitioner’s conclusion. (Ref: Para. A158-A160) Assurance Report Content C69. The assurance report shall include, at a minimum, the following basic elements: (a) A title that clearly indicates the report is an independent assurance report. (Ref: Para. A161) (b) An addressee. (Ref: Para. A162) Attestation and Direct Engagements | 23 (c) An identification or description of the level of assurance obtained by the practitioner, the subject matter information and, when appropriate, the underlying subject matter. When the practitioner’s conclusion is phrased in terms of a statement made by the appropriate party, that statement shall accompany the assurance report, be reproduced in the assurance report or be referenced therein to a source that is available to the intended users. (Ref: Para A163) (d) Identification of the applicable criteria. (Ref: Para. A164) (e) Where appropriate, a description of any significant inherent limitations associated with the measurement or evaluation of the underlying subject matter against the applicable criteria. (Ref: Para. A165) (f) When the applicable criteria are designed for a specific purpose, a statement alerting readers to this fact and that, as a result, the subject matter information may not be suitable for another purpose. (Ref: Para. A166-A167) (g) A statement to identify the responsible party and the measurer or evaluator if different, and to describe their responsibilities and the practitioner’s responsibilities. (Ref: Para. A168) (h) A statement that the engagement was performed in accordance with this CSAE or, where there is a subject-matter-specific CSAE, that CSAE. (Ref: Para. A169-A170) (i) A statement that the firm of which the practitioner is a member applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1. (Ref: Para. A171) C(j) A statement that the practitioner complies with the independence and other ethical requirements of relevant rules of professional conduct/code of ethics in Canada applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding. (Ref: Para. A172) [In ISAE 3000, this paragraph states: A statement that the practitioner complies with the independence and other ethical requirements of the IESBA Code, or other professional requirements, or requirements imposed by law or regulation, that are at 24 | Exposure Draft – June 2014 least as demanding as Parts A and B of the IESBA Code related to assurance engagements. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding as Parts A and B of the IESBA Code related to assurance engagements.] (k) An informative summary of the work performed as the basis for the practitioner’s conclusion. In the case of a limited assurance engagement, an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion. In a limited assurance engagement, the summary of the work performed shall state that: (i) The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and (ii) Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed. (Ref: Para. A6, A173-A177) (l) The practitioner’s conclusion: (Ref: Para. A2, A178-A180) (i) When appropriate, the conclusion shall inform the intended users of the context in which the practitioner’s conclusion is to be read. (Ref: Para. A179) (ii) In a reasonable assurance engagement, the conclusion shall be expressed in a positive form. (Ref: Para. A178) (iii) In a limited assurance engagement, the conclusion shall be expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause the practitioner to believe that the subject matter information is materially misstated. (Ref: Para. A180) (iv) The conclusion in (ii) or (iii) shall be phrased using appropriate words for the underlying subject matter and applicable criteria given the engagement circumstances and shall be phrased in terms of: (Ref: Para. A181) a. The underlying subject matter and the applicable criteria; b. The subject matter information and the applicable criteria; or c. A statement made by the appropriate party. Attestation and Direct Engagements | 25 (v) When the practitioner expresses a modified conclusion, the assurance report shall contain: a. A section that provides a description of the matter(s) giving rise to the modification; and b. A section that contains the practitioner’s modified conclusion. (Ref: Para. A182) (m) The practitioner’s signature. (Ref: Para. A183) (n) The date of the assurance report. The assurance report shall be dated no earlier than the date on which the practitioner has obtained the evidence on which the practitioner’s conclusion is based, including evidence that those with the recognized authority have asserted that they have taken responsibility for the subject matter information. (Ref: Para. A184) (o) The location in the jurisdiction where the practitioner practices. Reference to the Practitioner’s Expert in the Assurance Report 70. If the practitioner refers to the work of a practitioner’s expert in the assurance report, the wording of that report shall not imply that the practitioner’s responsibility for the conclusion expressed in that report is reduced because of the involvement of that expert. (Ref: Para. A185-A187) Assurance Report Prescribed by Law or Regulation 71. If the practitioner is required by law or regulation to use a specific layout or wording of the assurance report, the assurance report shall refer to this or other CSAEs only if the assurance report includes, at a minimum, each of the elements identified in paragraph C69. Unmodified and Modified Conclusions 72. The practitioner shall express an unmodified conclusion when the practitioner concludes: (a) In the case of a reasonable assurance engagement, that the subject matter information is prepared, in all material respects, in accordance with the applicable criteria; or (b) In the case of a limited assurance engagement, that, based on the procedures performed and evidence obtained, no matter(s) has come to the attention of the practitioner that causes the practitioner to believe that the subject matter information is not prepared, in all material respects, in accordance with the applicable criteria. 26 | Exposure Draft – June 2014 73. If the practitioner considers it necessary to: (a) Draw intended users’ attention to a matter presented or disclosed in the subject matter information that, in the practitioner’s judgment, is of such importance that it is fundamental to intended users’ understanding of the subject matter information (an Emphasis of Matter paragraph); or (b) Communicate a matter other than those that are presented or disclosed in the subject matter information that, in the practitioner’s judgment, is relevant to intended users’ understanding of the engagement, the practitioner’s responsibilities or the assurance report (an Other Matter paragraph), and this is not prohibited by law or regulation, the practitioner shall do so in a paragraph in the assurance report, with an appropriate heading, that clearly indicates the practitioner’s conclusion is not modified in respect of the matter. In the case of an Emphasis of Matter paragraph, such a paragraph shall refer only to information presented or disclosed in the subject matter information. 74. The practitioner shall express a modified conclusion in the following circumstances: (a) When, in the practitioner’s professional judgment, a scope limitation exists and the effect of the matter could be material (see paragraph 66). In such cases, the practitioner shall express a qualified conclusion or a disclaimer of conclusion. (b) When, in the practitioner’s professional judgment, the subject matter information is materially misstated. In such cases, the practitioner shall express a qualified conclusion or adverse conclusion. (Ref: Para. A190) 75. The practitioner shall express a qualified conclusion when, in the practitioner’s professional judgment, the effects, or possible effects, of a matter are not so material and pervasive as to require an adverse conclusion or a disclaimer of conclusion. A qualified conclusion shall be expressed as being “except for” the effects, or possible effects, of the matter to which the qualification relates. (Ref: Para. A188-A189) 76. If the practitioner expresses a modified conclusion because of a scope limitation but is also aware of a matter(s) that causes the subject matter information to be materially misstated, the practitioner shall include in the assurance report a clear description of both the scope limitation and the matter(s) that causes that the subject matter information to be materially misstated. Attestation and Direct Engagements | 27 77. When the statement made by the appropriate party has identified and properly described that the subject matter information is materially misstated, the practitioner shall either: (a) Express a qualified conclusion or adverse conclusion phrased in terms of the underlying subject matter and the applicable criteria; or (b) If specifically required by the terms of the engagement to phrase the conclusion in terms of a statement made by the appropriate party, express an unqualified conclusion but include an Emphasis of Matter paragraph in the assurance report referring to the statement made by the appropriate party that identifies and properly describes that the subject matter information is materially misstated. (Ref: Para. A191) Other Communication Responsibilities 78. The practitioner shall consider whether, pursuant to the terms of the engagement and other engagement circumstances, any matter has come to the attention of the practitioner that is to be communicated with the responsible party, the engaging party, those charged with governance or others. (Ref: Para. A192) Documentation 79. The practitioner shall prepare on a timely basis engagement documentation that provides a record of the basis for the assurance report that is sufficient and appropriate to enable an experienced practitioner, having no previous connection with the engagement, to understand: (Ref: Para. A193-A197) (a) The nature, timing and extent of the procedures performed to comply with relevant CSAEs and applicable legal and regulatory requirements; (b) The results of the procedures performed, and the evidence obtained; and (c) Significant matters arising during the engagement, the conclusions reached thereon, and significant professional judgments made in reaching those conclusions. 80. If the practitioner identifies information that is inconsistent with the practitioner’s final conclusion regarding a significant matter, the practitioner shall document how the practitioner addressed the inconsistency. 81. The practitioner shall assemble the engagement documentation in an engagement file and complete the administrative process of assembling the final engagement file on a timely basis after the date of the assurance report. (Ref: Para. A198-A199) 28 | Exposure Draft – June 2014 82. After the assembly of the final engagement file has been completed, the practitioner shall not delete or discard engagement documentation of any nature before the end of its retention period. (Ref: Para. A200) 83. If the practitioner finds it necessary to amend existing engagement documentation or add new engagement documentation after the assembly of the final engagement file has been completed the practitioner shall, regardless of the nature of the amendments or additions, document: (a) The specific reasons for making the amendments or additions; and (b) When, and by whom, they were made and reviewed. *** Application and Other Explanatory Material Introduction (Ref: Para. 6) A1. In a consulting engagement, the practitioner applies technical skills, education, observations, experiences, and knowledge. Consulting engagements involve an analytical process that typically involves some combination of activities relating to: objective-setting, fact-finding, definition of problems or opportunities, evaluation of alternatives, development of recommendations including actions, communication of results, and sometimes implementation and follow-up. Reports (if issued) are generally written in a narrative (or “long form”) style. Generally the work performed is only for the use and benefit of the client. The nature and scope of work is determined by agreement between the practitioner and the client. Any service that meets the definition of an assurance engagement is not a consulting engagement but an assurance engagement. Objectives Engagements with Subject Matter Information Comprising a Number of Aspects (Ref: Para. 10, 65, C69(l)) A2. Where the subject matter information is made up of a number of aspects, separate conclusions may be provided on each aspect. All such separate conclusions do not need to relate to the same level of assurance. Rather, each conclusion is expressed in the form that is appropriate to either a reasonable assurance engagement or a limited assurance engagement. References in this CSAE to the conclusion in the assurance report include each conclusion when separate conclusions are provided. Definitions The Nature, Timing and Extent of Procedures in Limited and Reasonable Assurance Engagements (Ref: Para. C12C(a)(i)) A3. Because the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the Attestation and Direct Engagements | 29 practitioner performs in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement. The primary differences between the procedures for a reasonable assurance engagement and a limited assurance engagement include: (a) The emphasis placed on the nature of various procedures as a source of evidence will likely differ, depending on the engagement circumstances. For example, the practitioner may judge it to be appropriate in the circumstances of a particular limited assurance engagement to place relatively greater emphasis on inquiries of the entity’s personnel and analytical procedures, and relatively less emphasis, if any, on testing of controls and obtaining evidence from external sources than may be the case for a reasonable assurance engagement. (b) In a limited assurance engagement, the practitioner may: • Select less items for examination; or • Perform fewer procedures (for example, performing only analytical procedures in circumstances when, in a reasonable assurance engagement, both analytical procedures and other procedures would be performed). (c) In a reasonable assurance engagement, analytical procedures performed in response to the engagement risk involve developing expectations that are sufficiently precise to identify material misstatements. In a limited assurance engagement, analytical procedures may be designed to support expectations regarding the direction of trends, relationships and ratios rather than to identify misstatements with the level of precision expected in a reasonable assurance engagement. (d) Further, when significant fluctuations, relationships or differences are identified, appropriate evidence in a limited assurance engagement may be obtained by making inquiries and considering responses received in the light of known engagement circumstances. (e) In addition, when undertaking analytical procedures in a limited assurance engagement, the practitioner may, for example, use data that is more highly aggregated, such as quarterly data rather than monthly data, or use data that has not been subjected to separate procedures to test its reliability to the same extent as it would be for a reasonable assurance engagement. A Level of Assurance that is Meaningful (Ref: Para. C12C(a)(i)(b), 47L) A4. The level of assurance the practitioner plans to obtain is not ordinarily susceptible to quantification, and whether it is meaningful is a matter of professional judgment for the practitioner to determine in the circumstances of 30 | Exposure Draft – June 2014 the engagement. In a limited assurance engagement, the practitioner performs procedures that are limited compared with those necessary in a reasonable assurance engagement but are nonetheless planned to obtain a level of assurance that is meaningful. To be meaningful, the level of assurance obtained by the practitioner is likely to enhance the intended users’ confidence about the subject matter information to a degree that is clearly more than inconsequential (see also paragraphs A16-A18). A5. Across the range of all limited assurance engagements, what is meaningful assurance can vary from just above assurance that is likely to enhance the intended users’ confidence about the subject matter information to a degree that is clearly more than inconsequential to just below reasonable assurance. What is meaningful in a particular engagement represents a judgment within that range that depends on the engagement circumstances, including the information needs of intended users as a group, the criteria, and the underlying subject matter of the engagement. A6. Because the level of assurance obtained by the practitioner in limited assurance engagements varies, the practitioner’s report contains an informative summary of the procedures performed, recognizing that an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion (see paragraphs C69(k) and A173-A177). A7. Some of the factors that may be relevant in determining what constitutes meaningful assurance in a specific engagement include, for example: • The characteristics of the underlying subject matter and the criteria, and whether there are any relevant subject-matter-specific CSAEs. • Instructions or other indications from the engaging party about the nature of the assurance the engaging party is seeking the practitioner to obtain. For example, the terms of the engagement may stipulate particular procedures that the engaging party considers necessary or particular aspects of the subject matter information on which the engaging party would like the practitioner to focus procedures. However, the practitioner may consider that other procedures are required to obtain sufficient appropriate evidence to obtain meaningful assurance. • Generally accepted practice, if it exists, with respect to assurance engagements for the particular subject matter information, or similar or related subject matter information. • The information needs of intended users as a group. Generally, the greater the consequence to intended users of receiving an inappropriate conclusion when the subject matter information is materially misstated, the greater assurance that would be needed in order to be meaningful to them. For Attestation and Direct Engagements | 31 example, in some cases, the consequence to intended users of receiving an inappropriate conclusion may be so great that a reasonable assurance engagement is needed for the practitioner to obtain assurance that is meaningful in the circumstances. • The expectation by intended users that the practitioner will form the limited conclusion on the subject matter information within a short timeframe and at a low cost. Examples of Attestation Engagements (Ref: Para. C12C(a)(ii)(a)) CA8. Examples of engagements that may be conducted under this CSAE include: (a) An audit of internal control over financial reporting that is integrated with a financial statement audit. (b) An audit or review of an entity’s greenhouse gas emissions. (c) An audit or review of a service organization’s description of its controls and the suitability of design and operating effectiveness of those controls. [The following three examples are provided in ISAE 3000: (a) Sustainability – An engagement on sustainability involves obtaining assurance on a report prepared by management or management’s expert (the measurer or evaluator) on the sustainability performance of the entity. (b) Compliance with law or regulation – An engagement on compliance with law or regulation involves obtaining assurance on a statement by another party (the measurer or evaluator) of compliance with the relevant law or regulation. (c) Value for money – An engagement on value for money involves obtaining assurance on a measurement or evaluation of value for money by another party (the measurer or evaluator).] Assurance Skills and Techniques (Ref: Para. C12(b)) A9. Assurance skills and techniques include: • Application of professional skepticism and professional judgment; • Planning and performing an assurance engagement, including obtaining and evaluating evidence; • Understanding information systems and the role and limitations of internal control; • Linking the consideration of materiality and engagement risks to the nature, timing and extent of procedures; 32 | Exposure Draft – June 2014 • Applying procedures as appropriate to the engagement (which may include inquiry, inspection, recalculation, reperformance, observation, confirmation, and analytical procedures); and • Systematic documentation practices and assurance report-writing skills. Criteria (Ref: Para. C12(c), Appendix 1) A10. Suitable criteria are required for reasonably consistent measurement or evaluation of an underlying subject matter within the context of professional judgment. Without the frame of reference provided by suitable criteria, any conclusion is open to individual interpretation and misunderstanding. The suitability of criteria is context-sensitive; that is, it is determined in the context of the engagement circumstances. Even for the same underlying subject matter there can be different criteria, which will yield a different measurement or evaluation. For example, a measurer or evaluator might select, as one of the criteria for the underlying subject matter of customer satisfaction, the number of customer complaints resolved to the acknowledged satisfaction of the customer; another measurer or evaluator might select the number of repeat purchases in the three months following the initial purchase. The suitability of criteria is not affected by the level of assurance; that is, if criteria are unsuitable for a reasonable assurance engagement, they are also unsuitable for a limited assurance engagement, and vice versa. Suitable criteria include, when relevant, criteria for presentation and disclosure. Engagement Risk (Ref: Para. C12(f)) A11. Engagement risk does not refer to, or include, the practitioner’s business risks, such as loss from litigation, adverse publicity, or other events arising in connection with particular subject matter information. A12. In general, engagement risk can be represented by the following components, although not all of these components will necessarily be present or significant for all assurance engagements: (a) Risks that the practitioner does not directly influence, which in turn consist of: (i) The susceptibility of the subject matter information to a material misstatement before consideration of any related controls applied by the appropriate party(ies) (inherent risk); and (ii) The risk that a material misstatement that occurs in the subject matter information will not be prevented, or detected and corrected, on a timely basis by the appropriate party(ies)’s internal control (control risk); and Attestation and Direct Engagements | 33 (b) The risk that the practitioner does directly influence, which is the risk that the procedures performed by the practitioner will not detect a material misstatement (detection risk). A13. The degree to which each of these components is relevant to the engagement is affected by the engagement circumstances, in particular: • The nature of the underlying subject matter and the subject matter information. For example, the concept of control risk may be more useful when the underlying subject matter relates to the preparation of information about an entity’s performance than when it relates to information about the effectiveness of a control or the existence of a physical condition. • Whether a reasonable assurance or a limited assurance engagement is being performed. For example, in limited assurance engagements, the practitioner may often decide to obtain evidence by means other than testing of controls, in which case consideration of control risk may be less relevant than in a reasonable assurance engagement on the same subject matter information. The consideration of risks is a matter of professional judgment, rather than a matter capable of precise measurement. A14. Reducing engagement risk to zero is very rarely attainable or cost beneficial and, therefore, “reasonable assurance” is less than absolute assurance, as a result of factors such as the following: • The use of selective testing. • The inherent limitations of internal control. • The fact that much of the evidence available to the practitioner is persuasive rather than conclusive. • The use of professional judgment in gathering and evaluating evidence and forming conclusions based on that evidence. • In some cases, the characteristics of the underlying subject matter when evaluated or measured against the criteria. The Engaging Party (Ref: Para. C12(g), Appendix 1) A15. The engaging party may be, under different circumstances, management or those charged with governance of the responsible party, a legislature, the intended users, the measurer or evaluator, or a different third party. Intended Users (Ref: Para. C12(m), Appendix 1) A16. In some cases, there may be intended users other than those to whom the assurance report is addressed. The practitioner may not be able to identify all 34 | Exposure Draft – June 2014 those who will read the assurance report, particularly where a large number of people have access to it. In such cases, particularly where possible users are likely to have a broad range of interests in the underlying subject matter, intended users may be limited to major stakeholders with significant and common interests. Intended users may be identified in different ways, for example, by agreement between the practitioner and the responsible party or engaging party, or by law or regulation. A17. Intended users or their representatives may be directly involved with the practitioner and the responsible party (and the engaging party if different) in determining the requirements of the engagement. Regardless of the involvement of others however, and unlike an agreed-upon procedures engagement (which involves reporting factual findings based upon procedures agreed with the engaging party and any appropriate third parties, rather than a conclusion): (a) The practitioner is responsible for determining the nature, timing and extent of procedures; and (b) The practitioner may need to perform additional procedures if information comes to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based (see paragraphs A115-A117). A18. In some cases, intended users (for example, bankers and regulators) impose a requirement on, or request the appropriate party(ies) to arrange for an assurance engagement to be performed for a specific purpose. When engagements use criteria that are designed for a specific purpose, paragraph C69(f) requires a statement alerting readers to this fact. In addition, the practitioner may consider it appropriate to indicate that the assurance report is intended solely for specific users. Depending on the engagement circumstances, this may be achieved by restricting the distribution or use of the assurance report (see paragraphs A166-A167). Subject Matter Information (Ref: Para. C12(x), Appendix 1) A19. In some cases, the subject matter information may be a statement that evaluates an aspect of a process, or of performance or compliance, in relation to the criteria. For example, “ABC’s internal control operated effectively in terms of XYZ criteria during the period ….” or “ABC’s governance structure conformed with XYZ criteria during the period …”. The Appropriate Party(ies) (Ref: Para. 13, Appendix 1) A20. The roles played by the responsible party, the measurer or evaluator, and the engaging party can vary (see paragraph A37). Also, management and governance structures vary by jurisdiction and by entity, reflecting influences Attestation and Direct Engagements | 35 such as different cultural and legal backgrounds, and size and ownership characteristics. Such diversity means that it is not possible for CSAEs to specify for all engagements the person(s) with whom the practitioner is to inquire of, request representations from, or otherwise communicate with in all circumstances. In some cases, for example, when the appropriate party(ies) is only part of a complete legal entity, identifying the appropriate management personnel or those charged with governance with whom to communicate will require the exercise of professional judgment to determine which person(s) have the appropriate responsibilities for, and knowledge of, the matters concerned. Conduct of an Attestation Engagement in Accordance with CSAEs Complying with Standards that Are Relevant to the Engagement (Ref: Para. 1, C5, 15) A21. This CSAE includes requirements that apply to all attestation engagements (other than audits or reviews of historical financial information), including engagements in accordance with a subject-matter-specific CSAE. In some cases, a subject-matter-specific CSAE is also relevant to the engagement. A subject-matter-specific CSAE is relevant to the engagement when the CSAE is in effect, the subject matter of the CSAE is relevant to the engagement, and the circumstances addressed by the CSAE exist. A22. The CASs, Section 8200 and Section 8500 have been written for audits and reviews of historical financial information, respectively, and do not apply to other assurance engagements. They may, however, provide guidance in relation to the engagement process generally for practitioners undertaking an assurance engagement in accordance with this CSAE. Text of a CSAE (Ref: Para. C12, 16) A23. CSAEs contain the objectives of the practitioner in following the CSAEs, and requirements designed to enable the practitioner to meet those objectives. In addition, they contain related guidance in the form of application and other explanatory material, introductory material that provides context relevant to a proper understanding of the CSAE, and definitions. A24. The objectives in a CSAE provide the context in which the requirements of the CSAE are set, and are intended to assist in: (a) Understanding what is to be accomplished; and (b) Deciding whether more needs to be done to achieve the objectives. The proper application of the requirements of a CSAE by the practitioner is expected to provide a sufficient basis for the practitioner’s achievement of the objectives. However, because the circumstances of assurance engagements vary widely and all such circumstances cannot be anticipated in the CSAEs, the 36 | Exposure Draft – June 2014 practitioner is responsible for determining the procedures necessary to fulfill the requirements of relevant CSAEs and to achieve the objectives stated therein. In the circumstances of an engagement, there may be particular matters that require the practitioner to perform procedures in addition to those required by relevant CSAEs to meet the objectives specified in those CSAEs. A25. A26. The requirements of CSAEs are expressed using “shall.” Where necessary, the application and other explanatory material provides further explanation of the requirements and guidance for carrying them out. In particular, it may: (a) Explain more precisely what a requirement means or is intended to cover; and (b) Include examples that may be appropriate in the circumstances. While such guidance does not in itself impose a requirement, it is relevant to the proper application of the requirements. The application and other explanatory material may also provide background information on matters addressed in a CSAE. Where appropriate, additional considerations specific to public sector audit organizations or smaller firms are included within the application and other explanatory material. These additional considerations assist in the application of the requirements in the CSAEs. They do not, however, limit or reduce the responsibility of the practitioner to apply and comply with the requirements in a CSAE. A27. Definitions are provided in the CSAEs to assist in the consistent application and interpretation of the CSAEs, and are not intended to override definitions that may be established for other purposes, whether by laws, regulations or otherwise. A28. Appendices form part of the application and other explanatory material. The purpose and intended use of an appendix are explained in the body of the related CSAE or within the title and introduction of the appendix itself. Complying with Relevant Requirements (Ref: Para. 17) A29. Although some procedures are required only for reasonable assurance engagements, they may nonetheless be appropriate in some limited assurance engagements. Ethical Requirements (Ref: Para. C3(a), C20, 22(a)) CA30. In Canada, relevant ethical requirements for public accountants establish the following fundamental principles with which the practitioner is required to comply: (a) Maintenance of the reputation of profession; Attestation and Direct Engagements | 37 (b) Integrity and due care; (c) Objectivity; (d) Professional competence; (e) Compliance with professional standards; (f) Confidentiality of information; (g) Conflict of interest; (h) Duty to report breach of rules of professional conduct; (i) Handling of trust funds and other property; (j) Handling of property of others; (k) Unlawful activity; (l) Fee quotations; (m) Contingent fees; (n) Payment of receipt of commissions; and (o) Advertising and promotion, including solicitation and endorsements. [In ISAE 3000, paragraph A30 states: Part A of the IESBA Code establishes the following fundamental principles with which the practitioner is required to comply: (a) Integrity; (b) Objectivity; (c) Professional competence and due care; (d) Confidentiality; and (e) Professional behavior.] CA31. In Canada, relevant ethical requirements for public accountants also provide a conceptual framework for professional accountants to apply to: (a) Identify threats to compliance with the fundamental principles. Threats fall into one or more of the following categories: (i) Self-interest; (ii) Self-review; (iii) Advocacy; (iv) Familiarity; and (v) Intimidation; (b) Evaluate the significance of the threats identified; and (c) Apply safeguards, when necessary, to eliminate the threats or reduce them to an acceptable level. Safeguards are necessary when the professional accountant determines that the threats are not at a level at which a 38 | Exposure Draft – June 2014 reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances available to the professional accountant at that time, that compliance with the fundamental principles is not compromised. [In ISAE 3000, the first sentence of paragraph A31 states: Part A of the IESBA Code also provides a conceptual framework for professional accountants to apply to:] CA32. [Not used.] [In ISAE 3000, paragraph A32 states: Part B of the IESBA Code describes how the conceptual framework in Part A applies in certain situations to professional accountants in public practice, including: Professional appointment; Conflicts of interest; Second opinions; Fees and other types of remuneration; Marketing professional services; Gifts and hospitality; Custody of client assets; Objectivity; and Independence.] CA33. In Canada, relevant ethical requirements for public accountants require the practitioner to be and remain free of any influence, interest or relationship, in respect of the client's affairs, which impairs the practitioner’s professional judgment or objectivity or which, in the view of a reasonable observer, would impair the practitioner’s professional judgment or objectivity. Independence safeguards the ability to form an assurance conclusion without being affected by influences that might compromise that conclusion. Independence enhances the ability to act with integrity, to be objective and to maintain an attitude of professional skepticism. Matters addressed in the relevant ethical requirements for public accountants with respect to independence include: • Financial interests; • Loans and guarantees; • Business relationships; • Family and personal relationships; • Employment with assurance clients; • Recent service with an assurance client; • Serving as a director or officer of an assurance client; • Long association of senior personnel with assurance clients; • Provision of non-assurance services to assurance clients; • Fees (relative size, overdue, and contingent fees); and • Gifts and hospitality. Attestation and Direct Engagements | 39 [In ISAE 3000, the opening sentences in paragraph A33 state: The IESBA Code defines independence as comprising both independence of mind and independence in appearance. Independence safeguards the ability to form a conclusion without being affected by influences that might compromise that conclusion. Independence enhances the ability to act with integrity, to be objective and to maintain an attitude of professional skepticism. Matters addressed in the IESBA Code with respect to independence include: …] CA34. Professional requirements, or requirements imposed by law or regulation, are at least as demanding as relevant rules of professional conduct/code of ethics in Canada, applicable to the practice of public accounting directed to practitioners and other members of assurance teams when they address all the matters referred to in paragraphs CA30-CA33 and impose obligations that achieve the aims of the requirements set out in the relevant rules of professional conduct/code of ethics in Canada applicable to the practice of public accounting and related to assurance engagements. [In ISAE 3000, paragraph A34 states: Professional requirements, or requirements imposed by law or regulation, are at least as demanding as Parts A and B of the IESBA Code related to assurance engagements when they address all the matters referred to in paragraphs A30A33 and impose obligations that achieve the aims of the requirements set out in Parts A and B of the IESBA Code related to assurance engagements.] Acceptance and Continuance Preconditions for the Attestation Engagement (Ref: Para. 24) A35. In a public sector environment, some of the preconditions for an assurance engagement may be assumed to be present, for example: (a) The roles and responsibilities of public sector audit organizations and the government entities scoped into assurance engagements are assumed to be appropriate because they are generally set out in legislation; (b) Public sector audit organizations’ right of access to the information necessary to perform the engagement is often set out in legislation; (c) The practitioner’s conclusion, in the form appropriate to either a reasonable assurance engagement or a limited assurance engagement, is generally required by legislation to be contained in a written report; and (d) A rational purpose is generally present because the engagement is set out in legislation. A36. If suitable criteria are not available for all of the underlying subject matter but the practitioner can identify one or more aspects of the underlying subject matter for which those criteria are suitable, then an assurance engagement can be performed with respect to that aspect of the underlying subject matter in its 40 | Exposure Draft – June 2014 own right. In such cases, the assurance report may need to clarify that the report does not relate to the original underlying subject matter in its entirety. Roles and Responsibilities (Ref: Para. C12(m), C12(n), C12(r), C12(v), 13, 24(a), Appendix 1) A37. All assurance engagements have at least three parties: the responsible party, the practitioner, and the intended users. In many attestation engagements, the responsible party may also be the measurer or evaluator, and the engaging party. See Appendix 1 for a discussion of how each of these roles relate to an assurance engagement. A38. Evidence that the appropriate relationship exists with respect to responsibility for the underlying subject matter may be obtained through an acknowledgement provided by the responsible party. Such an acknowledgement also establishes a basis for a common understanding of the responsibilities of the responsible party and the practitioner. A written acknowledgement is the most appropriate form of documenting the responsible party’s understanding. In the absence of a written acknowledgement of responsibility, it may still be appropriate for the practitioner to accept the engagement if, for example, other sources, such as legislation or a contract, indicate responsibility. In other cases, it may be appropriate to decline the engagement depending on the circumstances, or to disclose the circumstances in the assurance report. A39. The measurer or evaluator is responsible for having a reasonable basis for the subject matter information. What constitutes a reasonable basis will depend on the nature of the underlying subject matter and other engagement circumstances. In some cases, a formal process with extensive internal controls may be needed to provide the measurer or evaluator with a reasonable basis that the subject matter information is free from material misstatement. The fact that the practitioner will report on the subject matter information is not a substitute for the measurer or evaluator’s own processes to have a reasonable basis for the subject matter information. Appropriateness of the Underlying Subject Matter (Ref: Para. 24(b)(i)) A40. An appropriate underlying subject matter is identifiable and capable of consistent measurement or evaluation against the applicable criteria such that the resulting subject matter information can be subjected to procedures for obtaining sufficient appropriate evidence to support a reasonable assurance or limited assurance conclusion, as appropriate. A41. The appropriateness of an underlying subject matter is not affected by the level of assurance; that is, if an underlying subject matter is not appropriate for a reasonable assurance engagement, it is also not appropriate for a limited assurance engagement, and vice versa. Attestation and Direct Engagements | 41 A42. Different underlying subject matters have different characteristics, including the degree to which information about them is qualitative versus quantitative, objective versus subjective, historical versus prospective, and relates to a point in time or covers a period. Such characteristics affect the: (a) Precision with which the underlying subject matter can be measured or evaluated against criteria; and (b) The persuasiveness of available evidence. A43. Identifying such characteristics and considering their effects assist the practitioner when assessing the appropriateness of the underlying subject matter and also in determining the content of the assurance report (see paragraph A163). A44. In some cases, the assurance engagement may relate to only one part of a broader underlying subject matter. For example, the practitioner may be engaged to report on one aspect of an entity’s contribution to sustainable development, such as a number of programs run by an entity that have positive environmental outcomes. In determining whether the engagement exhibits the characteristic of having an appropriate underlying subject matter in such cases, it may be appropriate for the practitioner to consider whether information about the aspect on which the practitioner is asked to report is likely to meet the information needs of intended users as a group, and also how the subject matter information will be presented and distributed, for example, whether there are more significant programs with less favorable outcomes that the entity is not reporting upon. Suitability and Availability of the Criteria Suitability of the criteria (Ref: Para. 24(b)(ii)) A45. Suitable criteria exhibit the following characteristics: (a) Relevance: Relevant criteria result in subject matter information that assists decision-making by the intended users. (b) Completeness: Criteria are complete when subject matter information prepared in accordance with them does not omit relevant factors that could reasonably be expected to affect decisions of the intended users made on the basis of that subject matter information. Complete criteria include, where relevant, benchmarks for presentation and disclosure. (c) Reliability: Reliable criteria allow reasonably consistent measurement or evaluation of the underlying subject matter including, where relevant, presentation and disclosure, when used in similar circumstances by different practitioners. 42 | Exposure Draft – June 2014 (d) Neutrality: Neutral criteria result in subject matter information that is free from bias as appropriate in the engagement circumstances. (e) Understandability: Understandable criteria result in subject matter information that can be understood by the intended users. A46. Vague descriptions of expectations or judgments of an individual’s experiences do not constitute suitable criteria. A47. The suitability of criteria for a particular engagement depends on whether they reflect the above characteristics. The relative importance of each characteristic to a particular engagement is a matter of professional judgment. Further, criteria may be suitable for a particular set of engagement circumstances, but may not be suitable for a different set of engagement circumstances. For example, reporting to governments or regulators may require the use of a particular set of criteria, but these criteria may not be suitable for a broader group of users. A48. Criteria can be selected or developed in a variety of ways, for example, they may be: • Embodied in law or regulation. • Issued by authorized or recognized bodies of experts that follow a transparent due process. • Developed collectively by a group that does not follow a transparent due process. • Published in scholarly journals or books. • Developed for sale on a proprietary basis. • Specifically designed for the purpose of preparing the subject matter information in the particular circumstances of the engagement. How criteria are developed may affect the work that the practitioner carries out to assess their suitability. A49. In some cases, law or regulation prescribes the criteria to be used for the engagement. In the absence of indications to the contrary, such criteria are presumed to be suitable, as are criteria issued by authorized or recognized bodies of experts that follow a transparent due process if they are relevant to the intended users’ information needs. Such criteria are known as established criteria. Even when established criteria exist for an underlying subject matter, specific users may agree to other criteria for their specific purposes. For example, various frameworks can be used as established criteria for evaluating the effectiveness of internal control. Specific users may, however, develop a more detailed set of criteria that meet their specific information needs in relation to, for example, prudential supervision. In such cases, the assurance report: Attestation and Direct Engagements | 43 (a) Alerts readers that the subject matter information is prepared in accordance with special purpose criteria and that, as a result, the subject matter information may not be suitable for another purpose (see paragraph C69(f)); and (b) May note, when it is relevant to the circumstances of the engagement, that the criteria are not embodied in law or regulation, or issued by authorized or recognized bodies of experts that follow a transparent due process. A50. If criteria are specifically designed for the purpose of preparing the subject matter information in the particular circumstances of the engagement, they are not suitable if they result in subject matter information or an assurance report that is misleading to the intended users. It is desirable for the intended users or the engaging party to acknowledge that specifically developed criteria are suitable for the intended users’ purposes. The absence of such an acknowledgement may affect what is to be done to assess the suitability of the criteria, and the information provided about the criteria in the assurance report. Availability of the criteria (Ref: Para. 24(b)(iii)) A51. Criteria need to be available to the intended users to allow them to understand how the underlying subject matter has been measured or evaluated. Criteria are made available to the intended users in one or more of the following ways: (a) Publicly. (b) Through inclusion in a clear manner in the presentation of the subject matter information. (c) Through inclusion in a clear manner in the assurance report (see paragraph A164). (d) By general understanding, for example, the criterion for measuring time in hours and minutes. A52. Criteria may also be available only to intended users, for example, the terms of a contract, or criteria issued by an industry association that are available only to those in the industry because they are relevant only to a specific purpose. When this is the case, paragraph C69(f) requires a statement alerting readers to this fact. In addition, the practitioner may consider it appropriate to indicate that the assurance report is intended solely for specific users (see paragraph A166-A167). 44 | Exposure Draft – June 2014 Access to Evidence (Ref: Para. 24(b)(iv)) Quantity and quality of available evidence A53. The quantity or quality of available evidence is affected by: (a) The characteristics of the underlying subject matter or the subject matter information. For example, less objective evidence might be expected when the subject matter information is future oriented rather than historical; and (b) Other circumstances, such as when evidence that could reasonably be expected to exist is not available because of, for example, the timing of the practitioner’s appointment, an entity’s document retention policy, inadequate information systems, or a restriction imposed by the responsible party. Ordinarily, evidence will be persuasive rather than conclusive. Access to records (Ref: Para. 56) A54. Seeking the agreement of the appropriate party(ies) that it acknowledges and understands its responsibility to provide the practitioner with the following may assist the practitioner in determining whether the engagement exhibits the characteristic of access to evidence: (a) Access to all information of which the appropriate party(ies) is aware that is relevant to the preparation of the subject matter information such as records, documentation and other matters; (b) Additional information that the practitioner may request from the appropriate party(ies) for the purpose of the engagement; and (c) Unrestricted access to persons from the appropriate party(ies) from whom the practitioner determines it necessary to obtain evidence. A55. The nature of relationships between the responsible party, the measurer or evaluator, and the engaging party may affect the practitioner’s ability to access records, documentation and other information the practitioner may require as evidence to complete the engagement. The nature of such relationships may therefore be a relevant consideration when determining whether or not to accept the engagement. Examples of some circumstances in which the nature of these relationships may be problematic are included in paragraph A139. A Rational Purpose (Ref: Para. 24(b)(vi)) A56. In determining whether the engagement has a rational purpose, relevant considerations may include the following: • The intended users of the subject matter information and the assurance report (particularly, when the criteria are designed for a special purpose). A further consideration is the likelihood that the subject matter information and Attestation and Direct Engagements | 45 the assurance report will be used or distributed more broadly than to intended users. • Whether aspects of the subject matter information are expected to be excluded from the assurance engagement, and the reason for their exclusion. • The characteristics of the relationships between the responsible party, the measurer or evaluator, and the engaging party, for example, when the measurer or evaluator is not the responsible party, whether the responsible party consents to the use to be made of the subject matter information and will have the opportunity to review the subject matter information before it is made available to intended users or to distribute comments with the subject matter information. • Who selected the criteria to be applied to measure or evaluate the underlying subject matter, and what the degree of judgment and scope for bias is in applying them. The engagement is more likely to have a rational purpose if the intended users selected or were involved in selecting the criteria. • Any significant limitations on the scope of the practitioner’s work. • Whether the practitioner believes the engaging party intends to associate the practitioner’s name with the underlying subject matter or the subject matter information in an inappropriate manner. Agreeing on the Terms of the Engagement (Ref: Para. 27) A57. It is in the interests of both the engaging party and the practitioner that the practitioner communicates in writing the agreed terms of the engagement before the commencement of the engagement to help avoid misunderstandings. The form and content of the written agreement or contract will vary with the engagement circumstances. For example, if law or regulation prescribes in sufficient detail the terms of the engagement, the practitioner need not record them in a written agreement, except for the fact that such law or regulation applies and that the appropriate party acknowledges and understands its responsibilities under such law or regulation. A58. Law or regulation, particularly in the public sector, may mandate the appointment of a practitioner and set out specific powers, such as the power to access an appropriate party(ies)’s records and other information, and responsibilities, such as requiring the practitioner to report directly to a minister, the legislature or the public if an appropriate party(ies) attempts to limit the scope of the engagement. 46 | Exposure Draft – June 2014 Acceptance of a Change in the Terms of the Engagement (Ref: Para. 29) A59. A change in circumstances that affects the intended users’ requirements, or a misunderstanding concerning the nature of the engagement, may justify a request for a change in the engagement, for example, from an assurance engagement to a non-assurance engagement, or from a reasonable assurance engagement to a limited assurance engagement. An inability to obtain sufficient appropriate evidence to form a reasonable assurance conclusion is not an acceptable reason to change from a reasonable assurance engagement to a limited assurance engagement. Quality Control Professional Accountants in Public Practice (Ref: Para. C20, 31(a)-(b)) CA60. This CSAE has been written in the context of a range of measures taken to ensure the quality of assurance engagements undertaken by professional accountants in public practice. Such measures include: • Competency requirements, such as education and experience benchmarks for entry to membership, and ongoing continuing professional development as well as life-long learning requirements. • Quality control policies and procedures implemented across the firm. CSQC 1 applies to all firms of professional accountants in respect of assurance engagements. • Comprehensive rules of professional conduct/code of ethics, including detailed independence requirements, founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behavior. [In ISAE 3000, the first sentence of this paragraph states: This ISAE has been written in the context of a range of measures taken to ensure the quality of assurance engagements undertaken by professional accountants in public practice, such as those taken by IFAC member bodies in accordance with IFAC’s Member Body Compliance Program and Statements of Membership Obligations.] Firm Level Quality Control (Ref: Para. C3(b), 31(a)) A61. CSQC 1 deals with the firm’s responsibilities to establish and maintain its system of quality control for assurance engagements. It sets out the responsibilities of the firm for establishing policies and procedures designed to provide it with reasonable assurance that the firm and its personnel comply with relevant ethical requirements, including those pertaining to independence. Compliance with CSQC 1 requires, among other things, that the firm establish and maintain a system of quality control that includes policies and procedures Attestation and Direct Engagements | 47 addressing each of the following elements, and that it documents its policies and procedures and communicates them to the firm’s personnel: (a) Leadership responsibilities for quality within the firm; (b) Relevant ethical requirements; (c) Acceptance and continuance of client relationships and specific engagements; (d) Human resources; (e) Engagement performance; and (f) Monitoring. A62. Other professional requirements, or requirements in law or regulation that deal with the firm’s responsibilities to establish and maintain a system of quality control, are at least as demanding as CSQC 1 when they address all the matters referred to in the preceding paragraph and impose obligations on the firm that achieve the aims of the requirements set out in CSQC 1. A63. The actions of the engagement partner, and appropriate messages to the other members of the engagement team, in the context of the engagement partner taking responsibility for the overall quality on each engagement, emphasize the fact that quality is essential in performing an assurance engagement, and the importance to the quality of the assurance engagement of: (a) Performing work that complies with professional standards and regulatory and legal requirements. (b) Complying with the firm’s quality control policies and procedures as applicable. (c) Issuing a report for the engagement that is appropriate in the circumstances. (d) The engagement team’s ability to raise concerns without fear of reprisals. A64. An effective system of quality control includes a monitoring process designed to provide the firm with reasonable assurance that its policies and procedures relating to the system of quality control are relevant, adequate and operating effectively. A65. Unless information provided by the firm or other parties suggests otherwise, the engagement team is entitled to rely on the firm’s system of quality control. For example, the engagement team may rely on the firm’s system of quality control in relation to: (a) Competence of personnel through their recruitment and formal training. 48 | Exposure Draft – June 2014 (b) Independence through the accumulation and communication of relevant independence information. (c) Maintenance of client relationships through acceptance and continuance systems. (d) Adherence to regulatory and legal requirements through the monitoring process. In considering deficiencies identified in the firm’s system of quality control that may affect the assurance engagement, the engagement partner may consider measures taken by the firm to rectify those deficiencies. A66. A deficiency in the firm’s system of quality control does not necessarily indicate that an assurance engagement was not performed in accordance with professional standards and applicable legal and regulatory requirements, or that the practitioner’s report was not appropriate. Skills, Knowledge and Experience with Respect to the Underlying Subject Matter and Its Measurement or Evaluation (Ref: Para. 31(c)) A67. A practitioner may be requested to perform assurance engagements with respect to a wide range of underlying subject matter and subject matter information. Some may require specialized skills and knowledge beyond those ordinarily possessed by a particular individual. CA68. The relevant rules of professional conduct/code of ethics in Canada require the professional accountant in public practice to agree to provide only those services that the professional accountant in public practice is competent to perform. The practitioner has sole responsibility for the assurance conclusion expressed, and that responsibility is not reduced by the practitioner’s use of the work of a practitioner’s expert. Nonetheless, if the practitioner using the work of a practitioner’s expert, having followed this CSAE, concludes that the work of that expert is adequate for the practitioner’s purposes, the practitioner may accept that expert’s findings or conclusions in the expert’s field as appropriate evidence. [In ISAE 3000, the first sentence of paragraph A68 states: The IESBA Code requires the professional accountant in public practice to agree to provide only those services that the professional accountant in public practice is competent to perform (footnote reference to Code paragraph 210.6).] Assignment of the Team Collective Competence and Capabilities (Ref: Para. 32) A69. CSQC 1 requires the firm to establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm with reasonable assurance that it will only undertake or continue relationships and engagements where the firm is Attestation and Direct Engagements | 49 competent to perform the engagement and has the capabilities, including time and resources, to do so. 4 Practitioner’s Expert (Ref: Para. 32(a), 32(b)(i)) A70. Some of the assurance work may be performed by a multi-disciplinary team that includes one or more practitioner’s expert. For example, a practitioner’s expert may be needed to assist the practitioner in obtaining an understanding of the underlying subject matter and other engagement circumstances or in one or more of the matters mentioned in paragraph 46R (in the case of a reasonable assurance engagement) or 46L (in the case of a limited assurance engagement). A71. When the work of a practitioner’s expert is to be used, it may be appropriate to perform some of the procedures required by paragraph 52 at the engagement acceptance or continuance stage. Other Practitioners (Ref: Para. 32(b)(ii)) A72. The subject matter information may include information upon which another practitioner may have expressed a conclusion. The practitioner, in concluding on the subject matter information, may decide to use the evidence on which that other practitioner’s conclusion is based to provide evidence regarding the subject matter information. A73. The work of another practitioner may be used in relation to, for example, an underlying subject matter at a remote location or in a foreign jurisdiction. Such other practitioners are not part of the engagement team. Relevant considerations when the engagement team plans to use the work of another practitioner may include: • Whether the other practitioner understands and complies with the ethical requirements that are relevant to the engagement and, in particular, is independent. • The other practitioner’s professional competence. • The extent of the engagement team’s involvement in the work of the other practitioner. • Whether the other practitioner operates in a regulatory environment that actively oversees that practitioner. 4 CSQC 1, paragraph 26 50 | Exposure Draft – June 2014 Review Responsibilities (Ref: Para. 33(c)) A74. Under CSQC 1, the firm’s review responsibility policies and procedures are determined on the basis that the work of less experienced team members is reviewed by more experienced team members. 5 Engagement Quality Control Review (Ref: Para. 36(b)) A75. Other matters that may be considered in an engagement quality control review include: (a) The engagement team’s evaluation of the firm’s independence in relation to the engagement; (b) Whether appropriate consultation has taken place on matters involving differences of opinion or other difficult or contentious matters, and the conclusions arising from those consultations; and (c) Whether engagement documentation selected for review reflects the work performed in relation to the significant judgments and supports the conclusions reached. Professional Skepticism and Professional Judgment Professional Skepticism (Ref: Para. 37) A76. Professional skepticism is an attitude that includes being alert to, for example: • Evidence that is inconsistent with other evidence obtained. • Information that calls into question the reliability of documents and responses to inquiries to be used as evidence. • Circumstances that suggest the need for procedures in addition to those required by relevant CSAEs. • A77. Conditions that may indicate likely misstatement. Maintaining professional skepticism throughout the engagement is necessary if the practitioner is, for example, to reduce the risks of: • Overlooking unusual circumstances. • Overgeneralizing when drawing conclusions from observations. • Using inappropriate assumptions in determining the nature, timing and extent of the procedures, and evaluating the results thereof. A78. Professional skepticism is necessary to the critical assessment of evidence. This includes questioning inconsistent evidence and the reliability of documents 5 CSQC 1, paragraph 33 Attestation and Direct Engagements | 51 and responses to inquiries. It also includes consideration of the sufficiency and appropriateness of evidence obtained in the light of the circumstances. A79. Unless the engagement involves assurance about whether documents are genuine, the practitioner may accept records and documents as genuine unless the practitioner has reason to believe the contrary. Nonetheless, the practitioner is required by paragraph 50 to consider the reliability of information to be used as evidence. A80. The practitioner cannot be expected to disregard past experience of the honesty and integrity of those who provide evidence. Nonetheless, a belief that those who provide evidence are honest and have integrity does not relieve the practitioner of the need to maintain professional skepticism. Professional Judgment (Ref: Para. 38) A81. Professional judgment is essential to the proper conduct of an assurance engagement. This is because interpretation of relevant ethical requirements and relevant CSAEs and the informed decisions required throughout the engagement cannot be made without the application of relevant training, knowledge, and experience to the facts and circumstances. Professional judgment is necessary in particular regarding decisions about: • Materiality and engagement risk. • The nature, timing and extent of procedures used to meet the requirements of relevant CSAEs and obtain evidence. • Evaluating whether sufficient appropriate evidence has been obtained, and whether more needs to be done to achieve the objectives of this CSAE and any relevant subject-matter-specific CSAE. In particular, in the case of a limited assurance engagement, professional judgment is required in evaluating whether a meaningful level of assurance has been obtained. • A82. The appropriate conclusions to draw based on the evidence obtained. The distinguishing feature of the professional judgment expected of a practitioner is that it is exercised by a practitioner whose training, knowledge and experience have assisted in developing the necessary competencies to achieve reasonable judgments. A83. The exercise of professional judgment in any particular case is based on the facts and circumstances that are known by the practitioner. Consultation on difficult or contentious matters during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm assist the practitioner in making informed and reasonable judgments, including the extent to which particular 52 | Exposure Draft – June 2014 items in the subject matter information are affected by judgment of the appropriate party. A84. Professional judgment can be evaluated based on whether the judgment reached reflects a competent application of assurance and measurement or evaluation principles and is appropriate in the light of, and consistent with, the facts and circumstances that were known to the practitioner up to the date of the practitioner’s assurance report. A85. Professional judgment needs to be exercised throughout the engagement. It also needs to be appropriately documented. In this regard, paragraph 79 requires the practitioner to prepare documentation sufficient to enable an experienced practitioner, having no previous connection with the engagement, to understand the significant professional judgments made in reaching conclusions on significant matters arising during the engagement. Professional judgment is not to be used as the justification for decisions that are not otherwise supported by the facts and circumstances of the engagement or sufficient appropriate evidence. Planning and Performing the Engagement Planning (Ref: Para. 40) A86. Planning involves the engagement partner, other key members of the engagement team, and any key practitioner’s external experts developing an overall strategy for the scope, emphasis, timing and conduct of the engagement, and an engagement plan, consisting of a detailed approach for the nature, timing and extent of procedures to be performed, and the reasons for selecting them. Adequate planning helps to devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis and properly organize and manage the engagement in order for it to be performed in an effective and efficient manner. Adequate planning also assists the practitioner to properly assign work to engagement team members, and facilitates the direction, supervision, and the review of their work. Further, it assists, where applicable, the coordination of work done by other practitioners and experts. The nature and extent of planning activities will vary with the engagement circumstances, for example, the complexity of the underlying subject matter and criteria. Examples of the main matters that may be considered include: • The characteristics of the engagement that define its scope, including the terms of the engagement and the characteristics of the underlying subject matter and the criteria. • The expected timing and the nature of the communications required. Attestation and Direct Engagements | 53 • The results of engagement acceptance activities and, where applicable, whether knowledge gained on other engagements performed by the engagement partner for the appropriate party(ies) is relevant. • The engagement process. • The practitioner’s understanding of the appropriate party(ies) and its environment, including the risks that the subject matter information may be materially misstated. • Identification of intended users and their information needs, and consideration of materiality and the components of engagement risk. • The extent to which the risk of fraud is relevant to the engagement. • The nature, timing and extent of resources necessary to perform the engagement, such as personnel and expertise requirements, including the nature and extent of experts’ involvement. • A87. The impact of the internal audit function on the engagement. The practitioner may decide to discuss elements of planning with the appropriate party(ies) to facilitate the conduct and management of the engagement (for example, to coordinate some of the planned procedures with the work of the appropriate party(ies)’s personnel). Although these discussions often occur, the overall engagement strategy and the engagement plan remain the practitioner’s responsibility. When discussing matters included in the overall engagement strategy or engagement plan, care is required in order not to compromise the effectiveness of the engagement. For example, discussing the nature and timing of detailed procedures with the appropriate party(ies) may compromise the effectiveness of the engagement by making the procedures too predictable. A88. Planning is not a discrete phase, but rather a continual and iterative process throughout the engagement. As a result of unexpected events, changes in conditions, or evidence obtained, the practitioner may need to revise the overall strategy and engagement plan, and thereby the resulting planned nature, timing and extent of procedures. A89. In smaller or less complex engagements, the entire engagement may be conducted by a very small engagement team, possibly involving the engagement partner (who may be a sole practitioner) working without any other engagement team members. With a smaller team, co-ordination of, and communication between, team members is easier. Establishing the overall engagement strategy in such cases need not be a complex or time-consuming exercise; it varies according to the size of the entity, the complexity of the engagement, including the underlying subject matter and criteria, and the size 54 | Exposure Draft – June 2014 of the engagement team. For example, in the case of a recurring engagement, a brief memorandum prepared at the completion of the previous period, based on a review of the working papers and highlighting issues identified in the engagement just completed, updated in the current period based on discussions with appropriate parties, can serve as the documented engagement strategy for the current engagement. A90. If in the circumstances described in paragraph 43, the practitioner continues with the engagement: (a) When, in the practitioner’s professional judgment, the unsuitable applicable criteria or inappropriate underlying subject matter is likely to mislead the intended users, a qualified conclusion or adverse conclusion would be appropriate in the circumstances depending on how material and pervasive the matter is. (b) In other cases, a qualified conclusion or a disclaimer of conclusion would be appropriate depending on, in the practitioner’s professional judgment, how material and pervasive the matter is. A91. For example, if after accepting the engagement, the practitioner discovers that the application of the applicable criteria leads to biased subject matter information, and the bias of the subject matter information is material and pervasive, then an adverse conclusion would be appropriate in the circumstances. Materiality (Ref: Para. 44) A92. Professional judgments about materiality are made in light of surrounding circumstances, but are not affected by the level of assurance; that is, for the same intended users and purpose, materiality for a reasonable assurance engagement is the same as for a limited assurance engagement because materiality is based on the information needs of intended users. A93. The applicable criteria may discuss the concept of materiality in the context of the preparation and presentation of the subject matter information and thereby provide a frame of reference for the practitioner in considering materiality for the engagement. Although applicable criteria may discuss materiality in different terms, the concept of materiality generally includes the matters discussed in paragraphs A92-A100. If the applicable criteria do not include a discussion of the concept of materiality, these paragraphs provide the practitioner with a frame of reference. A94. Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence relevant decisions of intended users taken on the basis of the subject matter information. The practitioner’s consideration of materiality is a matter of Attestation and Direct Engagements | 55 professional judgment, and is affected by the practitioner’s perception of the common information needs of intended users as a group. In this context, it is reasonable for the practitioner to assume that intended users: (a) Have a reasonable knowledge of the underlying subject matter, and a willingness to study the subject matter information with reasonable diligence; (b) Understand that the subject matter information is prepared and assured to appropriate levels of materiality, and have an understanding of any materiality concepts included in the applicable criteria; (c) Understand any inherent uncertainties involved in the measuring or evaluating the underlying subject matter; and (d) Make reasonable decisions on the basis of the subject matter information taken as a whole. Unless the engagement has been designed to meet the particular information needs of specific users, the possible effect of misstatements on specific users, whose information needs may vary widely, is not ordinarily considered (see also paragraphs A16-A18). A95. Materiality is considered in the context of qualitative factors and, when applicable, quantitative factors. The relative importance of qualitative factors and quantitative factors when considering materiality in a particular engagement is a matter for the practitioner’s professional judgment. A96. Qualitative factors may include such things as: • The number of persons or entities affected by the subject matter. • The interaction between, and relative importance of, various components of the subject matter information when it is made up of multiple components, such as a report that includes numerous performance indicators. • The wording chosen with respect to subject matter information that is expressed in narrative form. • The characteristics of the presentation adopted for the subject matter information when the applicable criteria allow for variations in that presentation. • The nature of a misstatement, for example, the nature of observed deviations from a control when the subject matter information is a statement that the control is effective. • 56 | Exposure Draft – June 2014 Whether a misstatement affects compliance with law or regulation. • In the case of periodic reporting on an underlying subject matter, the effect of an adjustment that affects past or current subject matter information or is likely to affect future subject matter information. • Whether a misstatement is the result of an intentional act or is unintentional. • Whether a misstatement is significant having regard to the practitioner’s understanding of known previous communications to users, for example, in relation to the expected outcome of the measurement or evaluation of the underlying subject matter. • Whether a misstatement relates to the relationship between the responsible party, the measurer or evaluator, or the engaging party or their relationship with other parties. • When a threshold or benchmark value has been identified, whether the result of the procedure deviates from that value. • When the underlying subject matter is a governmental program or public sector entity, whether a particular aspect of the program or entity is significant with regard to the nature, visibility and sensitivity of the program or entity. • When the subject matter information relates to a conclusion on compliance with law or regulation, the seriousness of the consequences of noncompliance. A97. Quantitative factors relate to the magnitude of misstatements relative to reported amounts for those aspects of the subject matter information, if any, that are: • Expressed numerically; or • Otherwise related to numerical values (for example, the number of observed deviations from a control may be a relevant quantitative factor when the subject matter information is a statement that the control is effective). A98. When quantitative factors are applicable, planning the engagement solely to detect individually material misstatements overlooks the fact that the aggregate of uncorrected and undetected individually immaterial misstatements may cause the subject matter information to be materially misstated. It may therefore be appropriate when planning the nature, timing and extent of procedures for the practitioner to determine a quantity less than materiality as a basis for determining the nature, timing and extent of procedures. A99. Materiality relates to the information covered by the assurance report. Therefore, when the engagement covers some, but not all, aspects of the Attestation and Direct Engagements | 57 information communicated about an underlying subject matter, materiality is considered in relation to only that portion that is covered by the engagement. A100. Concluding on the materiality of the misstatements identified as a result of the procedures performed requires professional judgment. For example: • The applicable criteria for a value-for-money engagement for a hospital’s emergency department may include the speed of the services provided, the quality of the services, the number of patients treated during a shift, and benchmarking the cost of the services against other similar hospitals. If three of these applicable criteria are satisfied but one applicable criterion is not satisfied by a small margin, then professional judgment is needed to conclude whether the hospital’s emergency department represents value for money as a whole. • In a compliance engagement, the entity may have complied with nine provisions of the relevant law or regulation, but did not comply with one provision. Professional judgment is needed to conclude whether the entity complied with the relevant law or regulation as a whole. For example, the practitioner may consider the significance of the provision with which the entity did not comply, as well as the relationship of that provision to the remaining provisions of the relevant law or regulation. Understanding the Engagement Circumstances (Ref: Para. 45-47R) A101. Discussions between the engagement partner and other key members of the engagement team, and any key practitioner’s external experts, about the susceptibility of the subject matter information to material misstatement, and the application of the applicable criteria to the facts and circumstances of the engagement, may assist the engagement team in planning and performing the engagement. It is also useful to communicate relevant matters to members of the engagement team, and to any practitioner’s external experts not involved in the discussion. A102. Obtaining an understanding of the underlying subject matter and other engagement circumstances provides the practitioner with a frame of reference for exercising professional judgment throughout the engagement, for example, when: • Considering the characteristics of the underlying subject matter; • Assessing the suitability of criteria; • Considering the factors that, in the practitioner’s professional judgment, are significant in directing the engagement team’s efforts, including where special consideration may be necessary (for example, the need for specialized skills or the work of an expert); 58 | Exposure Draft – June 2014 • Establishing and evaluating the continued appropriateness of quantitative materiality levels (where appropriate), and considering qualitative materiality factors; • Developing expectations for use when performing analytical procedures; • Designing and performing procedures; and • Evaluating evidence, including the reasonableness of the oral and written representations received by the practitioner. A103. The practitioner ordinarily has a lesser depth of understanding of the underlying subject matter and other engagement circumstances than the responsible party. The practitioner also ordinarily has a lesser depth of understanding of the underlying subject matter and other engagement circumstances for a limited assurance engagement than for a reasonable assurance engagement. For example, while in some limited assurance engagements the practitioner may obtain an understanding of internal control over the preparation of the subject matter information, this is often not the case. A104. In a limited assurance engagement, identifying the areas where a material misstatement of the subject matter information is likely to arise enables the practitioner to focus procedures on those areas. For example, in an engagement when the subject matter information is a sustainability report, the practitioner may focus on certain areas of the sustainability report. The practitioner may design and perform procedures over the entire subject matter information when the subject matter information consists of only a single area or when obtaining assurance over all areas of the subject matter information is necessary to obtain meaningful assurance. A105. In a reasonable assurance engagement, understanding internal control over the subject matter information assists the practitioner in identifying the types of misstatements and factors that affect the risks of material misstatements in the subject matter information. The practitioner is required to evaluate the design of relevant controls and determines whether they have been implemented, by performing procedures in addition to inquiry of the responsible party. Professional judgment is needed to determine which controls are relevant in the engagement circumstances. A106. In a limited assurance engagement, considering the process used to prepare the subject matter information assists the practitioner in designing and performing procedures that address the areas where a material misstatement of the subject matter information is likely to arise. In considering the process used, the practitioner uses professional judgment to determine which aspects of the process are relevant to the engagement, and may make inquiries of the appropriate party about those aspects. Attestation and Direct Engagements | 59 A107. In both a reasonable assurance and a limited assurance engagement, the results of the entity’s risk assessment process may also assist the practitioner in obtaining an understanding of the underlying subject matter and other engagement circumstances. Obtaining Evidence The Nature, Timing and Extent of Procedures (Ref: Para. 48L-49R) A108. The practitioner chooses a combination of procedures to obtain reasonable assurance or limited assurance, as appropriate. The procedures listed below may be used, for example, for planning or performing the engagement, depending on the context in which they are applied by the practitioner: A109. • Inspection; • Observation; • Confirmation; • Recalculation; • Reperformance; • Analytical procedures; and • Inquiry. Factors that may affect the practitioner’s selection of procedures include the nature of the underlying subject matter; the level of assurance to be obtained; and the information needs of the intended users and the engaging party, including relevant time and cost constraints. A110. In some cases, a subject-matter-specific CSAE may include requirements that affect the nature, timing and extent of procedures. For example, a subjectmatter-specific CSAE may describe the nature or extent of particular procedures to be performed or the level of assurance expected to be obtained in a particular type of engagement. Even in such cases, determining the exact nature, timing and extent of procedures is a matter of professional judgment and will vary from one engagement to the next. A111. In some engagements, the practitioner may not identify any areas where a material misstatement of the subject matter information is likely to arise. Irrespective of whether any such areas have been identified, the practitioner designs and performs procedures to obtain a meaningful level of assurance. A112. An assurance engagement is an iterative process, and information may come to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to 60 | Exposure Draft – June 2014 perform additional procedures. Such procedures may include asking the measurer or evaluator to examine the matter identified by the practitioner, and to make adjustments to the subject matter information if appropriate. Determining Whether Additional Procedures Are Necessary in a Limited Assurance Engagement (Ref: Para. 49L) A113. The practitioner may become aware of misstatements that are, after applying professional judgment, clearly not indicative of the existence of material misstatements. The following examples illustrate when additional procedures may not be needed because, in the practitioner’s professional judgment, the identified misstatements are clearly not indicative of the existence of material misstatements: • If materiality is 10,000 units, and the practitioner judges that a potential error of 100 units may exist, then additional procedures would not generally be required, unless there are other qualitative factors that need to be considered, because the risk of a material misstatement is likely to be acceptable in the engagement circumstances. • If, in performing a set of procedures over an area where material misstatements are likely, a response to one inquiry among many was not as expected, additional procedures may not be needed if the risk of a material misstatement is, nevertheless, at a level that is acceptable in the circumstances of the engagement in light of the results of other procedures. A114. The practitioner may become aware of a matter(s) that causes the practitioner to believe that the subject matter information may be materially misstated. The following examples illustrate when additional procedures may be needed as the identified misstatements indicate that the subject matter information may be materially misstated: • When performing analytical procedures, the practitioner may identify a fluctuation or relationship that is inconsistent with other relevant information or that differs significantly from expected amounts or ratios. • The practitioner may become aware of a potential material misstatement from reviewing external sources. • If the applicable criteria permit a 10% error rate and, based on a particular test, the practitioner discovered a 9% error rate, then additional procedures may be needed because the risk of a material misstatement may not be acceptable in the engagement circumstances. • If the results of analytical procedures are within expectations but are, nevertheless, close to exceeding the expected value, then additional procedures may be needed because the risk of a material misstatement may not be acceptable in the engagement circumstances. Attestation and Direct Engagements | 61 A115. If, in the case of a limited assurance engagement, a matter(s) comes to the practitioner’s attention that causes the practitioner to believe the subject matter information may be materially misstated, the practitioner is required by paragraph 49L to design and perform additional procedures. Additional procedures may include, for example, inquiring of the appropriate party(ies) or performing other procedures as appropriate in the circumstances. A116. If, having performed the additional procedures required by paragraph 49L, the practitioner is not able to obtain sufficient appropriate evidence to either conclude that the matter(s) is not likely to cause the subject matter information to be materially misstated or determine that it does cause the subject matter information to be materially misstated, a scope limitation exists and paragraph 66 applies. A117. The practitioner’s judgment about the nature, timing and extent of additional procedures that are needed to obtain evidence to either conclude that a material misstatement is not likely, or determine that a material misstatement exists, is, for example, guided by: • Information obtained from the practitioner’s evaluation of the results of the procedures already performed; • The practitioner’s updated understanding of the underlying subject matter and other engagement circumstances obtained throughout the course of the engagement; and • The practitioner’s view on the persuasiveness of evidence needed to address the matter that causes the practitioner to believe that the subject matter information may be materially misstated. Accumulating Uncorrected Misstatements (Ref: Para. 51, 65) A118. Uncorrected misstatements are accumulated during the engagement (see paragraph 51) for the purpose of evaluating whether, individually or in aggregate, they are material when forming the practitioner’s conclusion. A119. The practitioner may designate an amount below which misstatements would be clearly trivial and would not need to be accumulated because the practitioner expects that the accumulation of such amounts clearly would not have a material effect on the subject matter information. “Clearly trivial” is not another expression for “not material.” Matters that are clearly trivial will be of a wholly different (smaller) order of magnitude than materiality determined in accordance with paragraph 44, and will be matters that are clearly inconsequential, whether taken individually or in aggregate and whether judged by any criteria of size, nature or circumstances. When there is any uncertainty about whether one or more items are clearly trivial, the matter is considered not to be clearly trivial. 62 | Exposure Draft – June 2014 Considerations When a Practitioner’s Expert Is Involved on the Engagement Nature, Timing and Extent of Procedures (Ref: Para. 52) A120. The following matters are often relevant when determining the nature, timing and extent of procedures with respect to the work of a practitioner’s expert when some of the assurance work is performed by one or more practitioner’s expert (see paragraph A70): (a) The significance of that expert’s work in the context of the engagement (see also paragraphs A121-A122); (b) The nature of the matter to which that expert’s work relates; (c) The risks of material misstatement in the matter to which that expert’s work relates; (d) The practitioner’s knowledge of and experience with previous work performed by that expert; and (e) Whether that expert is subject to the practitioner’s firm’s quality control policies and procedures (see also paragraphs A123-A124). Integrating the work of a practitioner’s expert A121. Assurance engagements may be performed on a wide range of underlying subject matters that require specialized skills and knowledge beyond those possessed by the engagement partner and other members of the engagement team and for which the work of a practitioner’s expert is used. In some situations, the practitioner’s expert will be consulted to provide advice on an individual matter, but the greater the significance of the practitioner’s expert’s work in the context of the engagement, the more likely it is that expert will work as part of a multi-disciplinary team comprising subject matter experts and other assurance personnel. The more that expert’s work is integrated in nature, timing and extent with the overall work effort, the more important effective two-way communication is between the practitioner’s expert and other assurance personnel. Effective two-way communication facilitates the proper integration of the expert’s work with the work of others on the engagement. A122. As noted in paragraph A71, when the work of a practitioner’s expert is to be used, it may be appropriate to perform some of the procedures required by paragraph 52 at the engagement acceptance or continuance stage. This is particularly so when the work of the practitioner’s expert will be fully integrated with the work of other assurance personnel and when the work of the practitioner’s expert is to be used in the early stages of the engagement, for example, during initial planning and risk assessment. Attestation and Direct Engagements | 63 The practitioner’s firm’s quality control policies and procedures A123. A practitioner’s internal expert may be a partner or staff, including temporary staff, of the practitioner’s firm and, therefore, subject to the quality control policies and procedures of that firm in accordance with CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. Alternatively, a practitioner’s internal expert may be a partner or staff, including temporary staff, of a network firm, which may share common quality control policies and procedures with the practitioner’s firm. A practitioner’s external expert is not a member of the engagement team and is not subject to quality control policies and procedures in accordance with CSQC 1. A124. Engagement teams are entitled to rely on the firm’s system of quality control, unless information provided by the firm or other parties suggests otherwise. The extent of that reliance will vary with the circumstances, and may affect the nature, timing and extent of the practitioner’s procedures with respect to such matters as: • Competence and capabilities, through recruitment and training programs. • The practitioner’s evaluation of the objectivity of the practitioner’s expert. Practitioner’s internal experts are subject to relevant ethical requirements, including those pertaining to independence. • The practitioner’s evaluation of the adequacy of the practitioner’s expert’s work. For example, the firm’s training programs may provide the practitioner’s internal experts with an appropriate understanding of the interrelationship of their expertise with the evidence gathering process. Reliance on such training and other firm processes, such as protocols for scoping the work of the practitioner’s internal experts, may affect the nature, timing and extent of the practitioner’s procedures to evaluate the adequacy of the practitioner’s expert’s work. • Adherence to regulatory and legal requirements, through monitoring processes. • Agreement with the practitioner’s expert. Such reliance does not reduce the practitioner’s responsibility to meet the requirements of this CSAE. The Competence, Capabilities and Objectivity of the Practitioner’s Expert (Ref: Para. 52(a)) A125. Information regarding the competence, capabilities and objectivity of a practitioner’s expert may come from a variety of sources, such as: • 64 | Exposure Draft – June 2014 Personal experience with previous work of that expert. • Discussions with that expert. • Discussions with other practitioners or others who are familiar with that expert’s work. • Knowledge of that expert’s qualifications, membership of a professional body or industry association, license to practice, or other forms of external recognition. • Published papers or books written by that expert. • The firm’s quality control policies and procedures (see also paragraphs A123-A124). A126. While practitioner’s experts do not require the same proficiency as the practitioner in performing all aspects of an assurance engagement, a practitioner’s expert whose work is used may need a sufficient understanding of relevant CSAEs to enable that expert to relate the work assigned to them to the engagement objective. A127. The evaluation of the significance of threats to objectivity and of whether there is a need for safeguards may depend upon the role of the practitioner’s expert and the significance of the expert’s work in the context of the engagement. There may be some circumstances in which safeguards cannot reduce threats to an acceptable level, for example, if a proposed practitioner’s expert is an individual who has played a significant role in preparing the subject matter information. A128. When evaluating the objectivity of a practitioner’s external expert, it may be relevant to: • Inquire of the appropriate party(ies) about any known interests or relationships that the appropriate party(ies) has with the practitioner’s external expert that may affect that expert’s objectivity. • Discuss with that expert any applicable safeguards, including any professional requirements that apply to that expert, and evaluate whether the safeguards are adequate to reduce threats to an acceptable level. Interests and relationships that it may be relevant to discuss with the practitioner’s expert include: o Financial interests. o Business and personal relationships. o Provision of other services by the expert, including by the organization in the case of an external expert that is an organization. Attestation and Direct Engagements | 65 In some cases, it may also be appropriate for the practitioner to obtain a written representation from the practitioner’s external expert about any interests or relationships with the appropriate party(ies) of which that expert is aware. Obtaining an Understanding of the Field of Expertise of the Practitioner’s Expert (Ref: Para. 52(b)) A129. Having a sufficient understanding of the field of expertise of the practitioner’s expert enables the practitioner to: (a) Agree with the practitioner’s expert the nature, scope and objectives of that expert’s work for the practitioner’s purposes; and (b) Evaluate the adequacy of that work for the practitioner’s purposes. A130. Aspects of the practitioner’s expert’s field relevant to the practitioner’s understanding may include: • Whether that expert’s field has areas of specialty within it that are relevant to the engagement. • Whether any professional or other standards and regulatory or legal requirements apply. • What assumptions and methods, including models where applicable, are used by the practitioner’s expert, and whether they are generally accepted within that expert’s field and appropriate in the circumstances of the engagement. • The nature of internal and external data or information the practitioner’s expert uses. Agreement with the Practitioner’s Expert (Ref: Para. 52(c)) A131. It may be appropriate for the practitioner’s agreement with the practitioner’s expert to also include matters such as the following: (a) The respective roles and responsibilities of the practitioner and that expert; (b) The nature, timing and extent of communication between the practitioner and that expert, including the form of any report to be provided by that expert; and (c) The need for the practitioner’s expert to observe confidentiality requirements. A132. The matters noted in paragraph A124 may affect the level of detail and formality of the agreement between the practitioner and the practitioner’s expert, including whether it is appropriate that the agreement be in writing. The 66 | Exposure Draft – June 2014 agreement between the practitioner and a practitioner’s external expert is often in the form of an engagement letter. Evaluating the Adequacy of the Practitioner’s Expert’s Work (Ref: Para. 52(d)) A133. The following matters may be relevant when evaluating the adequacy of the practitioner’s expert’s work for the practitioner’s purposes: (a) The relevance and reasonableness of that expert’s findings or conclusions, and their consistency with other evidence; (b) If that expert’s work involves use of significant assumptions and methods, the relevance and reasonableness of those assumptions and methods in the circumstances; and (c) If that expert’s work involves the use of source data that is significant to that expert’s work, the relevance, completeness, and accuracy of that source data. A134. If the practitioner determines that the work of the practitioner’s expert is not adequate for the practitioner’s purposes, options available to the practitioner include: (a) Agreeing with that expert on the nature and extent of further work to be performed by that expert; or (b) Performing additional procedures appropriate to the circumstances. Work Performed by Another Practitioner, a Responsible Party’s or Measurer’s or Evaluator’s Expert or an Internal Auditor (Ref: Para. 53-55) A135. While paragraphs A120-A134 have been written in the context of using work performed by a practitioner’s expert, they may also provide helpful guidance with respect to using work performed by another practitioner, a responsible party’s or measurer’s or evaluator’s expert, or an internal auditor. Written Representations (Ref: Para. 56) A136. Written confirmation of oral representations reduces the possibility of misunderstandings between the practitioner and the appropriate party(ies). The person(s) from whom the practitioner requests written representations will ordinarily be a member of senior management or those charged with governance depending on, for example, the management and governance structure of the appropriate party(ies), which may vary by jurisdiction and by entity, reflecting influences such as different cultural and legal backgrounds, and size and ownership characteristics. Attestation and Direct Engagements | 67 A137. Other written representations requested may include the following: • Whether the appropriate party(ies) believes the effects of uncorrected misstatements are immaterial, individually and in aggregate, to the subject matter information. A summary of such items is ordinarily included in or attached to the written representation; • That significant assumptions used in making any material estimates are reasonable; • That the appropriate party(ies) has communicated to the practitioner all deficiencies in internal control relevant to the engagement that are not clearly trivial and inconsequential of which the appropriate party(ies) is aware; and • When the responsible party is different from the measurer or evaluator, that the responsible party acknowledges responsibility for the underlying subject matter. A138. Representations by the appropriate party(ies) cannot replace other evidence the practitioner could reasonably expect to be available. Although written representations provide necessary evidence, they do not provide sufficient appropriate evidence on their own about any of the matters with which they deal. Furthermore, the fact that the practitioner has received reliable written representations does not affect the nature or extent of other evidence that the practitioner obtains. Requested Written Representations Not Provided or Not Reliable (Ref: Para. 60) A139. Circumstances in which the practitioner may not be able to obtain requested written representations include, for example, when: • The responsible party contracts a third party to perform the relevant measurement or evaluation and later engages the practitioner to undertake an assurance engagement on the resultant subject matter information. In some such cases, for example, where the responsible party has an ongoing relationship with the measurer or evaluator, the responsible party may be able to arrange for the measurer or evaluator to provide requested written representations, or the responsible party may be in a position to provide such representations if the responsible party has a reasonable basis for doing so, but in other cases, this may not be so. • An intended user engages the practitioner to undertake an assurance engagement on publicly available information but does not have a relationship with the responsible party of the kind necessary to ensure that party responds to the practitioner’s request for a written representation. 68 | Exposure Draft – June 2014 • The assurance engagement is undertaken against the wishes of the measurer or evaluator. This may be the case when, for example, the engagement is undertaken pursuant to a court order, or a public sector practitioner is required by the legislature or other competent authority to undertake a particular engagement. In these or similar circumstances, the practitioner may not have access to the evidence needed to support the practitioner’s conclusion. If this is the case, paragraph 66 of this CSAE applies. Subsequent Events (Ref: Para. 61) A140. Consideration of subsequent events in some assurance engagements may not be relevant because of the nature of the underlying subject matter. For example, when the engagement requires a conclusion about the accuracy of a statistical return at a point in time, events occurring between that point in time and the date of the assurance report may not affect the conclusion or require disclosure in the return or the report. A141. As noted in paragraph 61, the practitioner has no responsibility to perform any procedures regarding the subject matter information after the date of the practitioner’s report. However, if, after the date of the practitioner’s report, a fact becomes known to the practitioner that, had it been known to the practitioner at the date of the practitioner’s report, may have caused the practitioner to amend the report, the practitioner may need to discuss the matter with the appropriate party(ies) or take other action as appropriate in the circumstances. Other Information (Ref: Para. 62) A142. Further actions that may be appropriate if the practitioner identifies a material inconsistency or becomes aware of a material misstatement of fact include, for example: • Requesting the appropriate party(ies) to consult with a qualified third party, such as the appropriate party(ies)’s legal counsel. • Obtaining legal advice about the consequences of different courses of action. • Communicating with third parties (for example, a regulator). • Withholding the assurance report. • Withdrawing from the engagement, where withdrawal is possible under applicable law or regulation. • Describing the material inconsistency in the report. Attestation and Direct Engagements | 69 Description of Applicable Criteria (Ref: Para. 63) A143. The description of the applicable criteria advises intended users of the framework on which the subject matter information is based, and is particularly important when there are significant differences between various criteria regarding how particular matters may be treated in the subject matter information. A144. A description that the subject matter information is prepared in accordance with particular applicable criteria is appropriate only if the subject matter information complies with all relevant requirements of those applicable criteria that are effective. A145. A description of the applicable criteria that contains imprecise qualifying or limiting language (for example, “the subject matter information is in substantial compliance with the requirements of XYZ”) is not an adequate description as it may mislead users of the subject matter information. Forming the Assurance Conclusion Sufficiency and Appropriateness of Evidence (Ref: Para. C12(i), 64) A146. Evidence is necessary to support the practitioner’s conclusion and assurance report. It is cumulative in nature and is primarily obtained from procedures performed during the course of the engagement. It may, however, also include information obtained from other sources such as previous engagements (provided the practitioner has determined whether changes have occurred since the previous engagement that may affect its relevance to the current engagement) or a firm’s quality control procedures for client acceptance and continuance. Evidence may come from sources inside and outside the appropriate party(ies). Also, information that may be used as evidence may have been prepared by an expert employed or engaged by the appropriate party(ies). Evidence comprises both information that supports and corroborates aspects of the subject matter information, and any information that contradicts aspects of the subject matter information. In addition, in some cases, the absence of information (for example, refusal by the appropriate party(ies) to provide a requested representation) is used by the practitioner and, therefore, also constitutes evidence. Most of the practitioner’s work in forming the assurance conclusion consists of obtaining and evaluating evidence. A147. The sufficiency and appropriateness of evidence are interrelated. Sufficiency is the measure of the quantity of evidence. The quantity of evidence needed is affected by the risks of the subject matter information being materially misstated (the higher the risks, the more evidence is likely to be required) and also by the quality of such evidence (the higher the quality, the less may be required). Obtaining more evidence, however, may not compensate for its poor quality. 70 | Exposure Draft – June 2014 A148. Appropriateness is the measure of the quality of evidence; that is, its relevance and its reliability in providing support for the practitioner’s conclusion. The reliability of evidence is influenced by its source and by its nature, and is dependent on the individual circumstances under which it is obtained. Generalizations about the reliability of various kinds of evidence can be made; however, such generalizations are subject to important exceptions. Even when evidence is obtained from sources external to the appropriate party(ies), circumstances may exist that could affect its reliability. For example, evidence obtained from an external source may not be reliable if the source is not knowledgeable or objective. While recognizing that exceptions may exist, the following generalizations about the reliability of evidence may be useful: • Evidence is more reliable when it is obtained from sources outside the appropriate party(ies). • Evidence that is generated internally is more reliable when the related controls are effective. • Evidence obtained directly by the practitioner (for example, observation of the application of a control) is more reliable than evidence obtained indirectly or by inference (for example, inquiry about the application of a control). • Evidence is more reliable when it exists in documentary form, whether paper, electronic, or other media (for example, a contemporaneously written record of a meeting is ordinarily more reliable than a subsequent oral representation of what was discussed). A149. The practitioner ordinarily obtains more assurance from consistent evidence obtained from different sources or of a different nature than from items of evidence considered individually. In addition, obtaining evidence from different sources or of a different nature may indicate that an individual item of evidence is not reliable. For example, corroborating information obtained from a source independent of the appropriate party(ies) may increase the assurance the practitioner obtains from a representation from the appropriate party(ies). Conversely, when evidence obtained from one source is inconsistent with that obtained from another, the practitioner determines what additional procedures are necessary to resolve the inconsistency. A150. In terms of obtaining sufficient appropriate evidence, it is generally more difficult to obtain assurance about subject matter information covering a period than about subject matter information at a point in time. In addition, conclusions provided on processes ordinarily are limited to the period covered by the engagement; the practitioner provides no conclusion about whether the process will continue to function in the specified manner in the future. Attestation and Direct Engagements | 71 A151. Whether sufficient appropriate evidence has been obtained on which to base the practitioner’s conclusion is a matter of professional judgment. A152. In some circumstances, the practitioner may not have obtained the sufficiency or appropriateness of evidence that the practitioner had expected to obtain through the planned procedures. In these circumstances, the practitioner considers that the evidence obtained from the procedures performed is not sufficient and appropriate to be able to form a conclusion on the subject matter information. The practitioner may: • Extend the work performed; or • Perform other procedures judged by the practitioner to be necessary in the circumstances. Where neither of these is practicable in the circumstances, the practitioner will not be able to obtain sufficient appropriate evidence to be able to form a conclusion. This situation may arise even though the practitioner has not become aware of a matter(s) that causes the practitioner to believe the subject matter information may be materially misstated, as addressed in paragraph 49L. Evaluating the Sufficiency and Appropriateness of Evidence (Ref: Para. 65) A153. An assurance engagement is a cumulative and iterative process. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to change the nature, timing or extent of other planned procedures. Information may come to the practitioner’s attention that differs significantly from that expected and upon which planned procedures were based. For example: • The extent of misstatements that the practitioner identifies may alter the practitioner’s professional judgment about the reliability of particular sources of information. • The practitioner may become aware of discrepancies in relevant information, or inconsistent or missing evidence. • If analytical procedures were performed towards the end of the engagement, the results of those procedures may indicate a previously unrecognized risk of material misstatement. In such circumstances, the practitioner may need to reevaluate the planned procedures. 72 | Exposure Draft – June 2014 A154. The practitioner’s professional judgment as to what constitutes sufficient appropriate evidence is influenced by such factors as the following: • Significance of a potential misstatement and the likelihood of its having a material effect, individually or when aggregated with other potential misstatements, on the subject matter information. • Effectiveness of the appropriate party(ies)’s responses to address the known risk of material misstatement. • Experience gained during previous assurance engagements with respect to similar potential misstatements. • Results of procedures performed, including whether such procedures identified specific misstatements. • Source and reliability of the available information. • Persuasiveness of the evidence. • Understanding of the appropriate party(ies) and its environment. Scope Limitations (Ref: Para. 26, 66) A155. A scope limitation may arise from: (a) Circumstances beyond the control of the appropriate party(ies). For example, documentation the practitioner considers it necessary to inspect may have been accidentally destroyed; (b) Circumstances relating to the nature or timing of the practitioner’s work. For example, a physical process the practitioner considers it necessary to observe may have occurred before the practitioner’s engagement; or (c) Limitations imposed by the responsible party, the measurer or evaluator, or the engaging party on the practitioner that, for example, may prevent the practitioner from performing a procedure the practitioner considers to be necessary in the circumstances. Limitations of this kind may have other implications for the engagement, such as for the practitioner’s consideration of engagement risk and engagement acceptance and continuance. A156. An inability to perform a specific procedure does not constitute a scope limitation if the practitioner is able to obtain sufficient appropriate evidence by performing alternative procedures. A157. The procedures performed in a limited assurance engagement are, by definition, limited compared with that necessary in a reasonable assurance engagement. Limitations known to exist prior to accepting a limited assurance engagement are a relevant consideration when establishing whether the preconditions for an assurance engagement are present, in particular, whether Attestation and Direct Engagements | 73 the engagement exhibits the characteristics of access to evidence (see paragraph 24(b)(iv)) and a rational purpose (see paragraph 24(b)(vi)). If a further limitation is imposed by the appropriate party(ies) after a limited assurance engagement has been accepted, it may be appropriate to withdraw from the engagement, where withdrawal is possible under applicable law or regulation. Preparing the Assurance Report Form of Assurance Report (Ref: Para. 67-68) A158. Oral and other forms of expressing conclusions can be misunderstood without the support of a written report. For this reason, the practitioner does not report orally or by use of symbols without also providing a written assurance report that is readily available whenever the oral report is provided or the symbol is used. For example, a symbol could be hyperlinked to a written assurance report on the Internet. A159. This CSAE does not require a standardized format for reporting on all assurance engagements. Instead, it identifies the basic elements the assurance report is to include. Assurance reports are tailored to the specific engagement circumstances. The practitioner may use headings, paragraph numbers, typographical devices (for example, the bolding of text), and other mechanisms to enhance the clarity and readability of the assurance report. A160. The practitioner may choose a “short form” or “long form” style of reporting to facilitate effective communication to the intended users. “Short-form” reports ordinarily include only the basic elements. “Long-form” reports include other information and explanations that are not intended to affect the practitioner’s conclusion. In addition to the basic elements, long-form reports may describe in detail the terms of the engagement, the applicable criteria being used, findings relating to particular aspects of the engagement, details of the qualifications and experience of the practitioner and others involved with the engagement, disclosure of materiality levels and, in some cases, recommendations. The practitioner may find it helpful to consider the significance of providing such information to the information needs of the intended users. As required by paragraph 68, additional information is clearly separated from the practitioner’s conclusion and phrased in such a manner so as make it clear that it is not intended to detract from that conclusion. Assurance Report Content Title (Ref: Para. C69(a)) A161. An appropriate title helps to identify the nature of the assurance report, and to distinguish it from reports issued by others, such as those who do not have to comply with the same ethical requirements as the practitioner. 74 | Exposure Draft – June 2014 Addressee (Ref: Para. C69(b)) A162. An addressee identifies the party or parties to whom the assurance report is directed. The assurance report is ordinarily addressed to the engaging party, but in some cases, there may be other intended users. Subject Matter Information and Underlying Subject Matter (Ref: Para. C69(c)) A163. Identification and description of the subject matter information and, when appropriate, the underlying subject matter may include, for example: • The point in time or period of time to which the measurement or evaluation of the underlying subject matter relates. • Where applicable, the name of the responsible party or component of the responsible party to which the underlying subject matter relates. • An explanation of those characteristics of the underlying subject matter or the subject matter information of which the intended users should be aware, and how such characteristics may influence the precision of the measurement or evaluation of the underlying subject matter against the applicable criteria, or the persuasiveness of available evidence. For example: o The degree to which the subject matter information is qualitative versus quantitative, objective versus subjective, or historical versus prospective. o Changes in the underlying subject matter or other engagement circumstances that affect the comparability of the subject matter information from one period to the next. Applicable Criteria (Ref: Para. C69(d)) A164. The assurance report identifies the applicable criteria against which the underlying subject matter was measured or evaluated so the intended users can understand the basis for the practitioner’s conclusion. The assurance report may include the applicable criteria, or refer to them if they are included in the subject matter information or if they are otherwise available from a readily accessible source. It may be relevant in the circumstances, to disclose: • The source of the applicable criteria, and whether or not the applicable criteria are embodied in law or regulation, or issued by authorized or recognized bodies of experts that follow a transparent due process; that is, whether they are established criteria in the context of the underlying subject matter (and if they are not, a description of why they are considered suitable). Attestation and Direct Engagements | 75 • Measurement or evaluation methods used when the applicable criteria allow for choice between a number of methods. • Any significant interpretations made in applying the applicable criteria in the engagement circumstances. • Whether there have been any changes in the measurement or evaluation methods used. Inherent Limitations (Ref: Para. C69(e)) A165. While in some cases, inherent limitations can be expected to be well understood by the intended users of an assurance report, in other cases, it may be appropriate to make explicit reference to them in the assurance report. For example, in an assurance report related to the effectiveness of internal control, it may be appropriate to note that the historic evaluation of effectiveness is not relevant to future periods due to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with policies or procedures may deteriorate. Specific Purpose (Ref: Para. C69(f)) A166. In some cases, the applicable criteria used to measure or evaluate the underlying subject matter may be designed for a specific purpose. For example, a regulator may require certain entities to use particular applicable criteria designed for regulatory purposes. To avoid misunderstandings, the practitioner alerts readers of the assurance report to this fact and that, therefore, the subject matter information may not be suitable for another purpose. A167. In addition to the alert required by paragraph C69(f), the practitioner may consider it appropriate to indicate that the assurance report is intended solely for specific users. Depending on the engagement circumstances, for example, the law or regulation of the particular jurisdiction, this may be achieved by restricting the distribution or use of the assurance report. While an assurance report may be restricted in this way, the absence of a restriction regarding a particular user or purpose does not itself indicate that a legal responsibility is owed by the practitioner in relation to that user or for that purpose. Whether a legal responsibility is owed will depend on the legal circumstances of each case and the relevant jurisdiction. Relative Responsibilities (Ref: Para. C69(g)) A168. Identifying relative responsibilities informs the intended users that the responsible party is responsible for the underlying subject matter, that the measurer or evaluator is responsible for the measurement or evaluation of the underlying subject matter against the applicable criteria, and that the practitioner’s role is to independently express a conclusion about the subject matter information. 76 | Exposure Draft – June 2014 Performance of the Engagement in Accordance with CSAE 3000 and a Subject-MatterSpecific CSAE (Ref: Para. C69(h)) A169. Where a subject-matter-specific CSAE applies to only part of the subject matter information, it may be appropriate to cite both that subject-matter-specific CSAE and this CSAE. A170. A statement that contains imprecise qualifying or limiting language (for example, “the engagement was performed by reference to CSAE 3000”) may mislead users of assurance reports. Applicable Quality Control Requirements (Ref: Para. C69(i)) A171. The following is an illustration of a statement in the assurance report regarding applicable quality control requirements: The firm applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements. Compliance with Independence and Other Ethical Requirements (Ref: Para. C69(j)) CA172. The following is an illustration of a statement in the report regarding compliance with ethical requirements: We have complied with the independence and other ethical requirements of the [specify applicable rules of professional conduct/code of conduct in Canada], which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behavior. [In ISAE 3000, this illustration states: We have complied with the independence and other ethical requirements of the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants, which is founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behavior.] Summary of the Work Performed (Ref: Para. A6, C69(k)) A173. The summary of the work performed helps the intended users understand the practitioner’s conclusion. For many assurance engagements, infinite variations in procedures are possible in theory. In practice, however, these are difficult to communicate clearly and unambiguously. Other authoritative pronouncements issued by the Auditing and Assurance Standards Board may be useful to practitioners in preparing the summary. Attestation and Direct Engagements | 77 A174. Where no specific CSAE provides guidance on procedures for a particular underlying subject matter, the summary might include a more detailed description of the work performed. It may be appropriate to include in the summary a statement that the work performed included evaluating the suitability of the applicable criteria. A175. In a limited assurance engagement, the summary of the work performed is ordinarily more detailed than for a reasonable assurance engagement and identifies the limitations on the nature, timing and extent of procedures. This is because an appreciation of the nature, timing and extent of procedures performed is essential to understanding a conclusion expressed in a form that conveys whether, based on the procedures performed, a material matter(s) has come to the practitioner’s attention to cause the practitioner to believe the subject matter information is materially misstated. It also may be appropriate to indicate in the summary of the work performed certain procedures that were not performed that would ordinarily be expected to be performed in a reasonable assurance engagement. However, a complete identification of all such procedures may not be possible because the practitioner’s required understanding and consideration of engagement risk is less than in a reasonable assurance engagement. A176. Factors to consider in determining the level of detail to be provided in the summary of the work performed may include: • Circumstances specific to the entity (for example, the differing nature of the entity’s activities compared to those typical in the sector). • Specific engagement circumstances affecting the nature and extent of the procedures performed. • The intended users’ expectations of the level of detail to be provided in the report, based on market practice, or applicable law or regulation. A177. It is important that the summary be written in an objective way that allows intended users to understand the work done as the basis for the practitioner’s conclusion. In most cases, this will not involve detailing the entire work plan, but on the other hand, it is important for it not to be so summarized as to be ambiguous, nor written in a way that is overstated or embellished. The Practitioner’s Conclusion (Ref: Para. C12(a)(ii)(a), C69(l)) A178. Examples of conclusions expressed in a form appropriate for a reasonable assurance engagement include: • When expressed in terms of the underlying subject matter and the applicable criteria, “In our opinion, the entity has complied, in all material respects, with XYZ law”; 78 | Exposure Draft – June 2014 • When expressed in terms of the subject matter information and the applicable criteria, “In our opinion, the forecast of the entity’s financial performance is properly prepared, in all material respects, based on XYZ criteria”; or • When expressed in terms of a statement made by the appropriate party, “In our opinion, the [appropriate party’s] statement that the entity has complied with XYZ law is, in all material respects, fairly stated,” or “In our opinion, the [appropriate party’s] statement that the key performance indicators are presented in accordance with XYZ criteria is, in all material respects, fairly stated”. A179. It may be appropriate to inform the intended users of the context in which the practitioner’s conclusion is to be read when the report includes an explanation of particular characteristics of the underlying subject matter of which the intended users should be aware. The practitioner’s conclusion may, for example, include wording such as: “This conclusion has been formed on the basis of the matters outlined elsewhere in this independent assurance report.” A180. Examples of conclusions expressed in a form appropriate for a limited assurance engagement include: • When expressed in terms of the underlying subject matter and the applicable criteria, “Based on the procedures performed and evidence obtained, nothing has come to our attention that causes us to believe that [the entity] has not complied, in all material respects, with XYZ law.” • When expressed in terms of the subject matter information and the applicable criteria, “Based on the procedures performed and evidence obtained, we are not aware of any material amendments that need to be made to the assessment of key performance indicators for them to be in accordance with XYZ criteria.” • When expressed in terms of a statement made by the appropriate party, “Based on the procedures performed and evidence obtained, nothing has come to our attention that causes us to believe that the [appropriate party’s] statement that [the entity] has complied with XYZ law, is not, in all material respects, fairly stated.” A181. Forms of expression that may be useful for underlying subject matters include, for example, one, or a combination of, the following: • For compliance engagements – “in compliance with” or “in accordance with.” Attestation and Direct Engagements | 79 • For engagements when the applicable criteria describe a process or methodology for the preparation or presentation of the subject matter information – “properly prepared.” • For engagements when the principles of fair presentation are embodied in the applicable criteria – “fairly stated.” A182. Inclusion of a heading above paragraphs containing modified conclusions, and the matter(s) giving rise to the modification, aids the understandability of the practitioner’s report. Examples of appropriate heading include “Qualified Conclusion,” “Adverse Conclusion,” or “Disclaimer of Conclusion” and “Basis for Qualified Conclusion,” “Basis for Adverse Conclusion,” as appropriate. The Practitioner’s Signature (Ref: Para. C69(m)) A183. The practitioner’s signature is either in the name of the practitioner’s firm, the personal name of the individual practitioner or both, as appropriate for the particular jurisdiction. In addition to the practitioner’s signature, in certain jurisdictions, the practitioner may be required to make a declaration in the practitioner’s report about professional designations or recognition by the appropriate licensing authority in that jurisdiction. Date (Ref: Para. C69(n)) A184. Including the assurance report date informs the intended users that the practitioner has considered the effect on the subject matter information and on the assurance report of events that occurred up to that date. Reference to the Practitioner’s Expert in the Assurance Report (Ref: Para. 70) A185. In some cases, law or regulation may require a reference to the work of a practitioner’s expert in the assurance report, for example, for the purposes of transparency in the public sector. It may also be appropriate in other circumstances, for example, to explain the nature of a modification of the practitioner’s conclusion, or when the work of an expert is integral to findings included in a long-form report. A186. Nonetheless, the practitioner has sole responsibility for the conclusion expressed, and that responsibility is not reduced by the practitioner’s use of the work of a practitioner’s expert. It is important, therefore, that if the assurance report refers to a practitioner’s expert, that the wording of that report does not imply that the practitioner’s responsibility for the conclusion expressed is reduced because of the involvement of that expert. A187. A generic reference in a long-form report to the engagement having been conducted by suitably qualified personnel including subject matter experts and assurance specialists is unlikely to be misunderstood as reduced responsibility. The potential for misunderstanding is higher, however, in the case of short-form 80 | Exposure Draft – June 2014 reports, where minimum contextual information is able to be presented, or when the practitioner’s expert is referred to by name. Therefore, additional wording may be needed in such cases to prevent the assurance report implying that the practitioner’s responsibility for the conclusion expressed is reduced because of the involvement of the expert. Unmodified and Modified Conclusions (Ref: Para. 74-77, Appendix 1) A188. The term ‘pervasive’ describes the effects on the subject matter information of misstatements or the possible effects on the subject matter information of misstatements, if any, that are undetected due to an inability to obtain sufficient appropriate evidence. Pervasive effects on the subject matter information are those that, in the practitioner’s professional judgment: (a) Are not confined to specific aspects of the subject matter information; (b) If so confined, represent or could represent a substantial proportion of the subject matter information; or (c) In relation to disclosures, are fundamental to the intended users’ understanding of the subject matter information. A189. The nature of the matter, and the practitioner’s judgment about the pervasiveness of the effects or possible effects on the subject matter information, affects the type of conclusion to be expressed. A190. Examples of qualified and adverse conclusions and a disclaimer of conclusion are: • Qualified conclusion (an example for limited assurance engagements with a material misstatement) – “Based on the procedures performed and the evidence obtained, except for the effect of the matter described in the Basis for Qualified Conclusion section of our report, nothing has come to our attention that causes us to believe that the [appropriate party’s] statement does not present fairly, in all material respects, the entity’s compliance with XYZ law.” • Adverse conclusion (an example for a material and pervasive misstatement for both reasonable assurance and limited assurance engagements) – “Because of the significance of the matter described in the Basis for Adverse Conclusion section of our report, the [appropriate party’s] statement does not present fairly the entity’s compliance with XYZ law.” • Disclaimer of conclusion (an example for a material and pervasive limitation of scope for both reasonable assurance and limited assurance engagements) – “Because of the significance of the matter described in the Basis for Disclaimer of Conclusion section of our report, we have not been able to obtain sufficient appropriate evidence to form a conclusion on the Attestation and Direct Engagements | 81 [appropriate party’s] statement. Accordingly, we do not express a conclusion on that statement.” A191. In some cases, the measurer or evaluator may identify and properly describe that the subject matter information is materially misstated. For example, in a compliance engagement the measurer or evaluator may correctly describe the instances of non-compliance. In such circumstances, paragraph 76 requires the practitioner to draw the intended users’ attention to the description of the material misstatement, by either expressing a qualified or adverse conclusion or by expressing an unqualified conclusion but emphasizing the matter by specifically referring to it in the assurance report. Other Communication Responsibilities (Ref: Para. 78) A192. Matters that may be appropriate to communicate with the responsible party, the measurer or evaluator, the engaging party or others include fraud or suspected fraud, and bias in the preparation of the subject matter information. A193. includes a record of the practitioner’s reasoning on all significant matters that require the exercise of professional judgment, and related conclusions. When difficult questions of principle or professional judgment exist, documentation that includes the relevant facts that were known by the practitioner at the time the conclusion was reached may assist in demonstrating the practitioner’s knowledge. A194. It is neither necessary nor practical to document every matter considered, or professional judgment made, during an engagement. Further, it is unnecessary for the practitioner to document separately (as in a checklist, for example) compliance with matters for which compliance is demonstrated by documents included within the engagement file. Similarly, the practitioner need not include in the engagement file superseded drafts of working papers, notes that reflect incomplete or preliminary thinking, previous copies of documents corrected for typographical or other errors, and duplicates of documents. A195. In applying professional judgment to assessing the extent of documentation to be prepared and retained, the practitioner may consider what is necessary to provide an understanding of the work performed and the basis of the principal decisions taken (but not the detailed aspects of the engagement) to another practitioner who has no previous experience with the engagement. That other practitioner may only be able to obtain an understanding of detailed aspects of the engagement by discussing them with the practitioner who prepared the documentation. 82 | Exposure Draft – June 2014 A196. Documentation may include a record of, for example: • The identifying characteristics of the specific items or matters tested; • Who performed the engagement work and the date such work was completed; • Who reviewed the engagement work performed and the date and extent of such review; and • Discussions of significant matters with the appropriate party(ies) and others, including the nature of the significant matters discussed and when and with whom the discussions took place. A197. Documentation may include a record of, for example: • Issues identified with respect to compliance with relevant ethical requirements and how they were resolved. • Conclusions on compliance with independence requirements that apply to the engagement, and any relevant discussions with the firm that support these conclusions. • Conclusions reached regarding the acceptance and continuance of client relationships and assurance engagements. • The nature and scope of, and conclusions resulting from, consultations undertaken during the course of the engagement. Assembly of the Final Engagement File A198. CSQC 1 (or other professional requirements, or requirements in law or regulation that are at least as demanding as CSQC 1) requires firms to establish policies and procedures for the timely completion of the assembly of 6 engagement files. An appropriate time limit within which to complete the assembly of the final engagement file is ordinarily not more than 60 days after the date of the assurance report. A199. 7 The completion of the assembly of the final engagement file after the date of the assurance report is an administrative process that does not involve the performance of new procedures or the drawing of new conclusions. Changes may, however, be made to the documentation during the final assembly process if they are administrative in nature. Examples of such changes include: 6 7 • Deleting or discarding superseded documentation. • Sorting, collating and cross-referencing working papers. CSQC 1, paragraph 45 CSQC 1, paragraph A54 Attestation and Direct Engagements | 83 • Signing off on completion checklists relating to the file assembly process. • Documenting evidence that the practitioner has obtained, discussed and agreed with the relevant members of the engagement team before the date of the assurance report. A200. CSQC 1 (or other requirements that are at least as demanding as CSQC 1) requires firms to establish policies and procedures for the retention of 8 engagement documentation. The retention period for assurance engagements ordinarily is no shorter than five years from the date of the assurance report. 8 9 CSQC 1, paragraph 47 CSQC 1, paragraph A61 84 | Exposure Draft – June 2014 9 Appendix 1 (Ref: Para. A10, A15, A16-A18, A19, A20, A37-A39, A188-A191) Roles and Responsibilities 1. All assurance engagements have at least three parties: the responsible party, the practitioner, and the intended users. Depending on the engagement circumstances, there may also be a separate role of measurer or evaluator, or engaging party. 2. The above diagram illustrates how the following roles relate to an attestation engagement: (a) The responsible party is responsible for the underlying subject matter. (b) The measurer or evaluator uses the criteria to measure or evaluate the underlying subject matter resulting in the subject matter information. (c) The engaging party agrees the terms of the engagement with the practitioner. (d) The practitioner obtains sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information. (e) The intended users make decisions on the basis of the subject matter information. The intended users are the individual(s) or organization(s), or group(s) thereof that the practitioner expects will use the assurance report. Attestation and Direct Engagements | 85 C3. The following observations can be made about these roles: • Every assurance engagement has at least a responsible party and intended users, in addition to the practitioner. • The practitioner cannot be the responsible party, the engaging party or an intended user. • [Not used.] [ISAE 3000 contains a bullet stating: In a direct engagement, the practitioner is also the measurer or evaluator.] • In an attestation engagement, the responsible party, or someone else, but not the practitioner, can be the measurer or evaluator. • [Not used.] [ISAE 3000 contains a bullet stating: When the practitioner has measured or evaluated the underlying subject matter against the criteria, the engagement is a direct engagement. The character of that engagement cannot be changed to an attestation engagement by another party assuming responsibility for the measurement or evaluation, for example, by the responsible party attaching a statement to the subject matter information accepting responsibility for it.] • The responsible party can be the engaging party. • In many attestation engagements the responsible party may also be the measurer or evaluator, and the engaging party. An example is when an entity engages a practitioner to perform an attestation engagement regarding a report it has prepared about its own sustainability practices. An example of when the responsible party is different from the measurer or evaluator, is when the practitioner is engaged to perform an attestation engagement regarding a report prepared by a government organization about a private company’s sustainability practices. • In an attestation engagement, the measurer or evaluator ordinarily provides the practitioner with a written representation about the subject matter information. In some cases, the practitioner may not be able to obtain such a representation, for example, when the engaging party is not the measurer or evaluator. • The responsible party can be one of the intended users, but not the only one. • The responsible party, the measurer or evaluator, and the intended users may be from different entities or the same entity. As an example of the latter case, in a two-tier board structure, the supervisory board may seek assurance about information provided by the executive board of that entity. The relationship between the responsible party, the measurer or evaluator, and the intended users needs to be viewed within the context of a specific engagement and may differ from more traditionally defined lines of responsibility. For example, an entity’s senior management (an intended user) may engage a practitioner to 86 | Exposure Draft – June 2014 perform an attestation engagement on a particular aspect of the entity’s activities that is the immediate responsibility of a lower level of management (the responsible party), but for which senior management is ultimately responsible. • An engaging party that is not also the responsible party can be the intended user. 4. The practitioner’s conclusion may be phrased either in terms of: • The underlying subject matter and the applicable criteria; • The subject matter information and the applicable criteria; or • A statement made by the appropriate party. 5. The practitioner and the responsible party may agree to apply the principles of the CSAEs to an engagement when there are no intended users other than the responsible party but where all other requirements of the CSAEs are met. In such cases, the practitioner’s report includes a statement restricting the use of the report to the responsible party. Attestation and Direct Engagements | 87 Appendix 2 (Ref: Para. C2) Illustrations of Differences between Attestation Engagements and Direct Engagements Attestation Engagement Direct Engagement Objective To enhance the degree of confidence of the intended users about the subject matter information. Subject matter information Public statement or assertion made by the responsible party regarding its measurement or evaluation of the underlying subject matter (for example, a statement regarding the entity’s compliance with applicable criteria, and information related to such compliance). Party other than the practitioner. Party other than the practitioner decides on the applicable criteria to be used in preparing its subject matter information. The practitioner determines whether the applicable criteria are suitable for the engagement circumstances. Misstatement of the subject matter information. To enhance the degree of confidence of the intended users about the practitioner’s conclusion regarding the outcome of the measurement or evaluation of an underlying subject matter against criteria. No public statement or assertion made by the responsible party. Measurer/evaluator Applicable criteria Non-conformance with criteria Reporting Examples of engagements The practitioner’s report includes a conclusion regarding, for example, whether the subject matter information is, in all material respects, properly prepared, based on the applicable criteria. An audit of internal control over financial reporting that is integrated with a financial statement audit. An audit or review of an entity’s greenhouse gas emissions. An audit of a service organization’s description of its controls and the suitability of design and operating effectiveness of those controls. 88 | Exposure Draft – June 2014 Practitioner. Practitioner normally decides on the applicable criteria to be used for the engagement and seeks agreement from the party responsible for the underlying subject matter that the criteria are suitable. Deviation of the underlying subject matter from the applicable criteria. The practitioner’s report includes a conclusion regarding whether the underlying subject matter conforms, in all material respects, with the applicable criteria. A value-for-money (performance) audit of a public sector entity when the entity has made no public statement or assertion regarding such performance. An audit or review of an entity’s compliance with an agreement, statute or regulation when the entity has made no statement or assertion to an external party regarding such compliance. An audit or review of an entity’s statement or assertion to an external party regarding the entity’s compliance with an agreement, statute or regulation. Attestation and Direct Engagements | 89 PROPOSED CANADIAN STANDARD ON ASSURANCE ENGAGEMENTS 3001 DIRECT ENGAGEMENTS (Effective for direct engagements where the assurance report is dated on or after June 30, 2017) CONTENTS Paragraph Introduction..................................................................................... 1-6 Scope .............................................................................................. 7-10 Effective Date .................................................................................. 11 Objectives ....................................................................................... 12-13 Definitions ...................................................................................... 14-15 Requirements Conduct of a Direct Engagement in Accordance with CSAEs ......... 16-21 Ethical Requirements ...................................................................... 22 Acceptance and Continuance .......................................................... 23-32 Quality Control ................................................................................. 33-38 Professional Skepticism, Professional Judgment, and Assurance Skills and Techniques ....................................................................................... 39-41 Planning and Performing the Engagement ..................................... 42-49 Obtaining Evidence ......................................................................... 50-62 Subsequent Events ......................................................................... 63 Other Information ............................................................................ 64 Forming the Assurance Conclusion ................................................ 65-67 Preparing the Assurance Report ..................................................... 68-72 Unmodified and Modified Conclusions ............................................ 73-77 Other Communication Responsibilities ........................................... 78 Documentation ................................................................................ 79-83 Application and Other Explanatory Material Introduction ...................................................................................... A1 Objectives ........................................................................................ A1A-A2 Definitions ........................................................................................ A3-A19 Conduct of a Direct Engagement in Accordance with CSAEs ......... A20-A28 90 | Exposure Draft – June and 2014 Ethical Requirements ....................................................................... A29-A32 Acceptance and Continuance ......................................................... A33-A56 Quality Control ................................................................................. A57-A72 Professional Skepticism and Professional Judgment ..................... A73-A82 Planning and Performing the Engagement ..................................... A83-A102 Obtaining Evidence ......................................................................... A103-A133 Subsequent Events ......................................................................... A134-A135 Other Information ............................................................................ A136 Description of the Applicable Criteria .............................................. A137-A139 Forming the Assurance Conclusion ................................................ A140-A151 Preparing the Assurance Report ..................................................... A152-A181 Unmodified and Modified Conclusions ............................................ A182-A184 Other Communication Responsibilities ........................................... A185 Documentation ................................................................................ A186-A193 Appendix 1: Roles and Responsibilities Appendix 2: Illustrations of Differences between Attestation Engagements and Direct Engagements Attestation and Direct Engagements | 91 Introduction 1. This Canadian Standard on Assurance Engagements (CSAE) deals with direct engagements. A direct engagement is an assurance engagement in which the practitioner evaluates the underlying subject matter against applicable criteria and aims to obtain sufficient appropriate evidence to express, in a written direct assurance report, a conclusion to intended users other than the responsible party, about the outcome of that evaluation. (Ref: Para. A20-A21) 1 2. CSAE 3000 deals with attestation engagements other than audits or reviews of historical financial information, which are dealt with in Canadian Auditing 2 Standards (CASs) and Sections 8200 and 8500, respectively. CSAE 3000 and CSAE 3001 have the same status and authority; each deals with a different category of assurance engagement. Appendix 2 provides illustrations of differences between attestation engagements and direct engagements. 3. Direct engagements have many features in common with attestation engagements undertaken under CSAE 3000. Fundamental concepts related to matters such as level of assurance, risk and materiality are the same. However, direct engagements also have features that are clearly distinct from those of attestation engagements. For example, performance (value-formoney) audits of public sector entities are typically direct engagements, and have the following features not shared by attestation engagements: • The party responsible for the underlying subject matter being reported on does not make a public assertion regarding whether the entity’s performance conformed with suitable criteria. • The practitioner usually decides on what the nature and scope of the underlying subject matter to be reported on will be. This decision is made pursuant to the mandate of the public sector auditor set out in law or regulation. The decision is based on knowledge of the entity’s activities and the risks it faces. • The practitioner normally decides on the applicable criteria to be used for the engagement, deriving such criteria from relevant sources (for example, pertinent legislation or regulation, policies, directives and guidelines) and seeking agreement from the party responsible for the underlying subject matter that the criteria are suitable. 4. This CSAE contains requirements and application and other explanatory material specific to reasonable and limited assurance direct engagements. 1 2 CSAE 3000, Attestation Engagements Other Than Audits or Reviews of Historical Financial Information PUBLIC ACCOUNTANTS REVIEW OF FINANCIAL STATEMENTS, Section 8200, and REVIEWS OF FINANCIAL INFORMATION OTHER THAN FINANCIAL STATEMENTS, Section 8500 92 | Exposure Draft – June and 2014 5. This CSAE is premised on the basis that: (a) The members of the engagement team and the engagement quality control reviewer (for those engagements where one has been appointed) are subject to relevant rules of professional conduct/code of ethics in Canada applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements in law or regulation, that are at least as demanding; and (Ref: Para. A29-A32) (b) The practitioner who is performing the engagement is a member of a firm 3 that is subject to CSQC 1, or other professional requirements, or requirements in law or regulation, regarding the firm’s responsibility for its system of quality control, that are at least as demanding as CSQC 1. (Ref: Para. A58-A63) 6. Quality control within firms that perform assurance engagements, and compliance with ethical principles, including independence requirements, are widely recognized as being in the public interest and an integral part of highquality assurance engagements. Professional accountants in public practice will be familiar with such requirements. If a competent practitioner other than a professional accountant in public practice chooses to represent compliance with this or other CSAEs, it is important to recognize that this CSAE includes requirements that reflect the premise in the preceding paragraph. Scope 7. This CSAE covers direct engagements. Where a subject-matter-specific CSAE is relevant to the subject matter of a particular direct engagement, that CSAE applies in addition to this CSAE. (Ref: Para. A20-A21) 8. Not all engagements performed by practitioners are assurance engagements. Other frequently performed engagements that are not assurance engagements, as defined by paragraph 14(a) (and, therefore, are not covered by the CSAEs) include: (a) Engagements covered by standards dealing with related services engagements, such as agreed-upon procedure and compilation engagements; (b) The preparation of tax returns where no assurance conclusion is expressed; and (c) Consulting (or advisory) engagements, such as management and tax consulting. (Ref: Para. A1) 3 CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements Attestation and Direct Engagements | 93 9. An assurance engagement performed under the CSAEs may be part of a larger engagement. In such circumstances, the CSAEs are relevant only to the assurance portion of the engagement. 10. The following engagements, which may be consistent with the description in paragraph 14(a), are not considered assurance engagements in terms of the CSAEs: (a) Engagements to testify in legal proceedings regarding accounting, auditing, taxation or other matters; and (b) Engagements that include professional opinions, views or wording from which a user may derive some assurance, if all of the following apply: (i) Those opinions, views or wording are merely incidental to the overall engagement; (ii) Any written report issued is expressly restricted for use by only the intended users specified in the report; (iii) Under a written understanding with the specified intended users, the engagement is not intended to be an assurance engagement; and (iv) The engagement is not represented as an assurance engagement in the professional accountant’s report. Effective Date 11. This CSAE is effective for direct engagements where the assurance report is dated on or after June 30, 2017. Objectives 12. In conducting a direct engagement, the objectives of the practitioner are: (a) To obtain either reasonable assurance or limited assurance, as appropriate, about whether the underlying subject matter conforms, in all material respects, with the applicable criteria; (b) To express a conclusion regarding the outcome of the measurement or evaluation of the underlying subject matter through a written report that conveys either a reasonable assurance or a limited assurance conclusion and describes the basis for the conclusion; (Ref: Para. A2) and (c) To communicate further as required by this CSAE and any other relevant CSAEs. 13. In all cases when reasonable assurance or limited assurance, as appropriate, cannot be obtained and a qualified conclusion in the practitioner’s assurance report is insufficient in the circumstances for purposes of reporting to the 94 | Exposure Draft – June and 2014 intended users, this CSAE requires that the practitioner disclaim a conclusion or withdraw (or resign) from the engagement, where withdrawal is possible under applicable law or regulation. Definitions 14. For purposes of this CSAE and other CSAEs, unless indicated to the contrary, the following terms have the meanings attributed below. (Ref: Para. A26) (a) Assurance engagement – An engagement in which a practitioner aims to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the measurement or evaluation of an underlying subject matter against criteria. Each assurance engagement is classified on two dimensions: (Ref: Para. A3) (i) Either a reasonable assurance engagement or a limited assurance engagement: a. Reasonable assurance engagement – An assurance engagement in which the practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the practitioner’s conclusion. The practitioner’s conclusion is expressed in a form that conveys the practitioner’s opinion on the outcome of the measurement or evaluation of the underlying subject matter against criteria. A reasonable assurance engagement may be referred to as an audit engagement. b. Limited assurance engagement – An assurance engagement in which the practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause the practitioner to believe: in an attestation engagement, the subject matter information is materially misstated; or in a direct engagement, that that the underlying subject matter does not conform, in all material respects, with the applicable criteria. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the practitioner’s professional judgment, meaningful. To be meaningful, the level of assurance obtained by the practitioner is likely to enhance the intended users’ Attestation and Direct Engagements | 95 confidence about the matters being reported on to a degree that is clearly more than inconsequential. A limited assurance engagement may be referred to as a review engagement. (Ref: Para. A3-A7) (ii) Either an attestation engagement or a direct engagement: (Ref: Para. A8) a. Attestation engagement – An assurance engagement in which a party other than the practitioner measures or evaluates the underlying subject matter against the criteria. A party other than the practitioner also often presents the resulting subject matter information in a report or statement. In some cases, however, the subject matter information may be presented by the practitioner in the assurance report. In an attestation engagement, the practitioner’s conclusion addresses whether the subject matter information is free from material misstatement. The practitioner’s conclusion may be phrased in terms of: (Ref: Para. A172, A175) (i) The underlying subject matter and the applicable criteria; (ii) The subject matter information and the applicable criteria; or (iii) A statement made by the appropriate party. b. Direct engagement – An assurance engagement in which the practitioner measures or evaluates the underlying subject matter against the applicable criteria. In a direct engagement, the practitioner’s conclusion addresses the reported outcome of the measurement or evaluation of the underlying subject matter against the criteria. (b) Assurance skills and techniques – Those planning, evidence gathering, evidence evaluation, communication and reporting skills and techniques demonstrated by an assurance practitioner that are distinct from expertise in the underlying subject matter of any particular assurance engagement or its measurement or evaluation. (Ref: Para. A9) (c) Criteria – The benchmarks used to measure or evaluate the underlying subject matter. The “applicable criteria” are the criteria used for the particular engagement. (Ref: Para. A10) (d) Deviation – An instance where the underlying subject matter does not conform with the applicable criteria. A deviation can be intentional or unintentional, qualitative or quantitative, and include omissions. 96 | Exposure Draft – June and 2014 (e) Engagement circumstances – The broad context defining the particular engagement, which includes: the terms of the engagement; whether it is a reasonable assurance engagement or a limited assurance engagement; the characteristics of the underlying subject matter; the measurement or evaluation criteria; the information needs of the intended users; relevant characteristics of the responsible party, and the engaging party and their environment; and other matters, for example, events, transactions, conditions and practices, that may have a significant effect on the engagement. (f) Engagement partner – The partner or other person in the firm who is responsible for the engagement and its performance, and for the assurance report that is issued on behalf of the firm, and who, where required, has the appropriate authority from a professional, legal or regulatory body. “Engagement partner” should be read as referring to its public sector equivalents where relevant. (g) Engagement risk – The risk that the practitioner expresses an inappropriate conclusion when the underlying subject matter contains a material deviation. (Ref: Para. A11-A14) (h) Engaging party – The party(ies) that engages the practitioner to perform the assurance engagement. (Ref: Para. A15) (i) Engagement team – All partners and staff performing the engagement, and any individuals engaged by the firm or a network firm who perform procedures on the engagement. This excludes a practitioner’s external expert engaged by the firm or a network firm. (j) Evidence – Information used by the practitioner in arriving at the practitioner’s conclusion. Evidence includes both information contained in relevant information systems, if any, and other information. For purposes of the CSAEs: (Ref: Para. A140-A146) (i) Sufficiency of evidence is the measure of the quantity of evidence. (ii) Appropriateness of evidence is the measure of the quality of evidence. (k) Firm – A sole practitioner, partnership or corporation or other entity of individual practitioners. “Firm” should be read as referring to its public sector equivalents where relevant. (l) Historical financial information – Information expressed in financial terms in relation to a particular entity, derived primarily from that entity’s accounting system, about economic events occurring in past time periods or about economic conditions or circumstances at points in time in the past. Attestation and Direct Engagements | 97 (m) Internal audit function – A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes. (n) Intended users – The individual(s) or organization(s), or group(s) thereof that the practitioner expects will use the assurance report. In some cases, there may be intended users other than those to whom the assurance report is addressed. (Ref: Para. A16-A18, A35) (o) Misstatement of fact (with respect to other information) – Other information that is unrelated to matters appearing in the underlying subject matter or the assurance report that is incorrectly stated or presented. A material misstatement of fact may undermine the credibility of the document containing the underlying subject matter. (p) Other information – Information (other than the underlying subject matter and the assurance report thereon) which is included, either by law, regulation or custom, in a document containing the underlying subject matter and the assurance report thereon. (q) Practitioner – The individual(s) conducting the engagement (usually the engagement partner or other members of the engagement team, or, as applicable, the firm). Where this CSAE expressly intends that a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “practitioner” is used. (Ref: Para. A35) (r) Practitioner’s expert – An individual or organization possessing expertise in a field other than assurance, whose work in that field is used by the practitioner to assist the practitioner in obtaining sufficient appropriate evidence. A practitioner’s expert may be either a practitioner’s internal expert (who is a partner or staff, including temporary staff, of the practitioner’s firm or a network firm), or a practitioner’s external expert. (s) Professional judgment – The application of relevant training, knowledge and experience, within the context provided by assurance and ethical standards, in making informed decisions about the courses of action that are appropriate in the circumstances of the engagement. (t) Professional skepticism – An attitude that includes a questioning mind, being alert to conditions which may indicate possible deviation, and a critical assessment of evidence. (u) Responsible party – The party(ies) responsible for the underlying subject matter. (Ref: Para. A35) 98 | Exposure Draft – June and 2014 (v) Risk of material deviation – The risk that the underlying subject matter contains a material deviation prior to the engagement. (Ref: Para. A88A96) (w) Underlying subject matter – The phenomenon that is measured or evaluated by applying criteria. 15. For the purposes of this CSAE and other CSAEs, references to “appropriate party(ies)” should be read hereafter as “the responsible party, or the engaging party, as appropriate.” (Ref: Para. A19, A35) Requirements Conduct of a Direct Engagement in Accordance with CSAEs Complying with Standards that Are Relevant to the Engagement 16. The practitioner performing a direct engagement shall comply with this CSAE and any subject-matter-specific CSAEs relevant to the engagement. 17. The practitioner shall not represent compliance with this or any other CSAE unless the practitioner has complied with the requirements of this CSAE and any other CSAE relevant to the engagement. (Ref: Para. A20-A21) Text of a CSAE 18. The practitioner shall have an understanding of the entire text of a CSAE, including its application and other explanatory material, to understand its objectives and to apply its requirements properly. (Ref: Para. A22-A27) Complying with Relevant Requirements 19. Subject to the following paragraph, the practitioner shall comply with each requirement of this CSAE and of any relevant subject-matter-specific CSAE unless, in the circumstances of the engagement the requirement is not relevant because it is conditional and the condition does not exist. Requirements that apply to only limited assurance or reasonable assurance engagements have been presented in a columnar format with the letter “L” (limited assurance) or “R” (reasonable assurance) after the paragraph number. (Ref: Para. A28) 20. In exceptional circumstances, the practitioner may judge it necessary to depart from a relevant requirement in a CSAE. In such circumstances, the practitioner shall perform alternative procedures to achieve the aim of that requirement. The need for the practitioner to depart from a relevant requirement is expected to arise only where the requirement is for a specific procedure to be performed and, in the specific circumstances of the engagement, that procedure would be ineffective in achieving the aim of the requirement. Attestation and Direct Engagements | 99 Failure to Achieve an Objective 21. If an objective in this CSAE or a relevant subject-matter-specific CSAE cannot be achieved, the practitioner shall evaluate whether this requires the practitioner to modify the practitioner’s conclusion or withdraw from the engagement (where withdrawal is possible under applicable law or regulation). Failure to achieve an objective in a relevant CSAE represents a significant matter requiring documentation in accordance with paragraph 79 of this CSAE. Ethical Requirements 22. The practitioner shall comply with relevant rules of professional conduct/code of ethics in Canada, applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. (Ref: Para. A29-A32, A57) Acceptance and Continuance 23. The engagement partner shall be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and assurance engagements have been followed by the firm, and shall determine that conclusions reached in this regard are appropriate. 24. The practitioner shall accept or continue a direct engagement only when: (Ref: Para. A29-A32) (a) The practitioner has no reason to believe that relevant ethical requirements, including independence, will not be satisfied; (b) The practitioner is satisfied that those persons who are to perform the engagement collectively have the appropriate competence and capabilities (see also paragraph 34); and (c) The basis upon which the engagement is to be performed has been agreed, through: (i) Establishing that the preconditions for a direct engagement are present (see also paragraphs 26-27); and (ii) Confirming that there is a common understanding between the practitioner and the engaging party of the terms of the engagement, including the practitioner’s reporting responsibilities. 25. If the engagement partner obtains information that would have caused the firm to decline the engagement had that information been available earlier, the engagement partner shall communicate that information promptly to the firm, so that the firm and the engagement partner can take the necessary action. 100 | Exposure Draft – June and 2014 Preconditions for the Direct Engagement 26. In order to establish whether the preconditions for a direct engagement are present, the practitioner shall, on the basis of a preliminary knowledge of the engagement circumstances and discussion with the appropriate party(ies), determine whether: (Ref: Para. A33-A36) (a) The roles and responsibilities of the appropriate parties are suitable in the circumstances; and (Ref: Para. A35-A36) (b) The engagement exhibits all of the following characteristics: (i) The underlying subject matter is appropriate; (Ref: Para. A37-A41) (ii) The criteria that the practitioner expects to be applied are suitable for the engagement circumstances, including that they exhibit the following characteristics: (Ref: Para. A42-A47) a. Relevance. b. Completeness. c. Reliability. d. Neutrality. e. Understandability. (iii) The criteria that the practitioner expects to be applied will be available to the intended users. (Ref: Para. A48-A49) (iv) The practitioner expects to be able to obtain the evidence needed to support the practitioner’s conclusion; (Ref: Para. A50-A52) (v) The practitioner’s conclusion, in the form appropriate to either a reasonable assurance engagement or a limited assurance engagement, is to be contained in a written report; and (vi) A rational purpose including, in the case of a limited assurance engagement, that the practitioner expects to be able to obtain a meaningful level of assurance. (Ref: Para. A53) 27. If the preconditions for a direct engagement are not present, the practitioner shall discuss the matter with the engaging party. If changes cannot be made to meet the preconditions, the practitioner shall not accept the engagement as an assurance engagement unless required by law or regulation to do so. However, an engagement conducted under such circumstances does not comply with CSAEs. Accordingly, the practitioner shall not include any reference within the assurance report to the engagement having been conducted in accordance with this CSAE or any other CSAE(s). Attestation and Direct Engagements | 101 Limitation on Scope Prior to Acceptance of the Engagement 28. If the engaging party imposes a limitation on the scope of the practitioner’s work in the terms of a proposed direct engagement such that the practitioner believes the limitation will result in the practitioner disclaiming a conclusion on the underlying subject matter, the practitioner shall not accept such an engagement as an assurance engagement, unless required by law or regulation to do so. (Ref: Para. A149(c)) Agreeing on the Terms of the Engagement 29. The practitioner shall agree the terms of the engagement with the engaging party. The agreed terms of the engagement shall be specified in sufficient detail in an engagement letter or other suitable form of written agreement, written confirmation, or in law or regulation. (Ref: Para. A54-A55) 30. On recurring engagements, the practitioner shall assess whether circumstances require the terms of the engagement to be revised and whether there is a need to remind the engaging party of the existing terms of the engagement. Acceptance of a Change in the Terms of the Engagement 31. The practitioner shall not agree to a change in the terms of the engagement where there is no reasonable justification for doing so. If such a change is made, the practitioner shall not disregard evidence that was obtained prior to the change. (Ref: Para. A56) Assurance Report Prescribed by Law or Regulation 32. In some cases, law or regulation of the relevant jurisdiction prescribes the layout or wording of the assurance report. In these circumstances, the practitioner shall evaluate: (a) Whether intended users might misunderstand the assurance conclusion; and (b) If so, whether additional explanation in the assurance report can mitigate possible misunderstanding. If the practitioner concludes that additional explanation in the assurance report cannot mitigate possible misunderstanding, the practitioner shall not accept the engagement, unless required by law or regulation to do so. An engagement conducted in accordance with such law or regulation does not comply with CSAEs. Accordingly, the practitioner shall not include any reference within the assurance report to the engagement having been conducted in accordance with this CSAE or any other CSAE(s) (see also paragraph 72). 102 | Exposure Draft – June and 2014 Quality Control Characteristics of the Engagement Partner 33. The engagement partner shall: (a) Be a member of a firm that applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1; (Ref: Para. A57-A63) (b) Have competence in assurance skills and techniques developed through extensive training and practical application; and (Ref: Para. A57) (c) Have sufficient competence in the underlying subject matter and its measurement or evaluation to accept responsibility for the assurance conclusion. (Ref: Para. A64-A65) Assignment of the Team 34. The engagement partner shall: (Ref: Para. A66) (a) Be satisfied that those persons who are to perform the engagement collectively have the appropriate competence and capabilities to: (i) Perform the engagement in accordance with relevant standards and applicable legal and regulatory requirements; and (ii) Enable an assurance report that is appropriate in the circumstances to be issued. (b) Be satisfied that the practitioner will be able to be involved in the work of: (i) A practitioner’s expert where the work of that expert is to be used; and (Ref: Para. A67-A68) (ii) Another practitioner, not part of the engagement team, where the assurance work of that practitioner is to be used, (Ref: Para. A69-A70) to an extent that is sufficient to accept responsibility for the assurance conclusion on the underlying subject matter. Responsibilities of the Engagement Partner 35. The engagement partner shall take responsibility for the overall quality on the engagement. This includes responsibility for: (a) Appropriate procedures being performed regarding the acceptance and continuance of client relationships and engagements; (b) The engagement being planned and performed (including appropriate direction and supervision) to comply with professional standards and applicable legal and regulatory requirements; Attestation and Direct Engagements | 103 (c) Reviews being performed in accordance with the firm’s review policies and procedures, and reviewing the engagement documentation on or before the date of the assurance report; (Ref: Para. A71) (d) Appropriate engagement documentation being maintained to provide evidence of achievement of the practitioner’s objectives, and that the engagement was performed in accordance with relevant CSAEs and relevant legal and regulatory requirements; and (e) Appropriate consultation being undertaken by the engagement team on difficult or contentious matters. 36. Throughout the engagement, the engagement partner shall remain alert, through observation and making inquiries as necessary, for evidence of noncompliance with relevant ethical requirements by members of the engagement team. If matters come to the engagement partner’s attention through the firm’s system of quality control or otherwise that indicate that members of the engagement team have not complied with relevant ethical requirements, the engagement partner, in consultation with others in the firm, shall determine the appropriate action. 37. The engagement partner shall consider the results of the firm’s monitoring process as evidenced in the latest information circulated by the firm and, if applicable, other network firms and whether deficiencies noted in that information may affect the assurance engagement. Engagement Quality Control Review 38. For those engagements, if any, for which a quality control review is required by law or regulation or for which the firm has determined that an engagement quality control review is required: (a) The engagement partner shall take responsibility for discussing significant matters arising during the engagement with the engagement quality control reviewer, and not date the assurance report until completion of that review; and (b) The engagement quality control reviewer shall perform an objective evaluation of the significant judgments made by the engagement team, and the conclusions reached in formulating the assurance report. This evaluation shall involve: (Ref: Para. A72) (i) Discussion of significant matters with the engagement partner; (ii) Review of the proposed assurance report; 104 | Exposure Draft – June and 2014 (iii) Review of selected engagement documentation relating to the significant judgments the engagement team made and the conclusions it reached; and (iv) Evaluation of the conclusions reached in formulating the assurance report and consideration of whether the proposed assurance report is appropriate. Professional Skepticism, Professional Judgment, and Assurance Skills and Techniques 39. The practitioner shall plan and perform an engagement with professional skepticism, recognizing that circumstances may exist that cause the underlying subject matter to deviate from the applicable criteria. (Ref: Para. A73-A77) 40. The practitioner shall exercise professional judgment in planning and performing a direct engagement, including determining the nature, timing and extent of procedures. (Ref: Para. A78-A82) 41. The practitioner shall apply assurance skills and techniques as part of an iterative, systematic engagement process. Planning and Performing the Engagement Planning 42. The practitioner shall plan the engagement so that it will be performed in an effective manner, including setting the scope, timing and direction of the engagement, and determining the nature, timing and extent of planned procedures that are required to be carried out in order to achieve the objectives of the practitioner. (Ref: Para. A83-A87) 43. The practitioner shall determine whether the criteria are suitable for the engagement circumstances, including that they exhibit the characteristics identified in paragraph 26(b)(ii). 44. If it is discovered after the engagement has been accepted that one or more preconditions for an assurance engagement is not present, the practitioner shall discuss the matter with the appropriate party(ies), and shall determine: (a) Whether the matter can be resolved to the practitioner’s satisfaction; (b) Whether it is appropriate to continue with the engagement; and (c) Whether and, if so, how to communicate the matter in the assurance report. 45. If it is discovered after the engagement has been accepted that some or all of the applicable criteria are unsuitable or some or all of the underlying subject matter is not appropriate for an assurance engagement, the practitioner shall consider withdrawing from the engagement, if withdrawal is possible under Attestation and Direct Engagements | 105 applicable law or regulation. If the practitioner continues with the engagement, the practitioner shall express a qualified or adverse conclusion, or disclaimer of conclusion, as appropriate in the circumstances. (Ref: Para. A87) Materiality 46. The practitioner shall consider materiality when: (Ref: Para. A88-A96) (a) Planning and performing the assurance engagement, including when determining the nature, timing and extent of procedures; and (b) Evaluating whether the underlying subject matter is free from material deviation. Understanding the Underlying Subject Matter and Other Engagement Circumstances 47. The practitioner shall make inquiries of the appropriate party(ies) regarding: (a) Whether they have knowledge of any actual, suspected or alleged intentional deviation, including non-compliance with laws and regulations affecting the underlying subject matter; (Ref: Para. A97) (b) Whether the responsible party has an internal audit function and, if so, make further inquiries to obtain an understanding of the activities and main findings of the internal audit function with respect to the underlying subject matter; and (c) Whether the responsible party has used any experts in dealing with the underlying subject matter. Limited Assurance 48L. The practitioner shall obtain an understanding of the underlying subject matter and other engagement circumstances sufficient to: (a) Enable the practitioner to identify areas where a material deviation is likely to arise; and (b) Thereby, provide a basis for designing and performing procedures to address the areas identified in paragraph 48L(a) and to obtain limited assurance to support the practitioner’s conclusion. (Ref: Para. A97-A100, A102) Reasonable Assurance 48R. The practitioner shall obtain an understanding of the underlying subject matter and other engagement circumstances sufficient to: (a) Enable the practitioner to identify and assess the risks of material deviation; and (b) Thereby, provide a basis for designing and performing procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. (Ref: Para. A97-A99, A102) 49R. 49L. (Not applicable) 106 | Exposure Draft – June and 2014 In obtaining an understanding of the underlying subject matter and other engagement circumstances under paragraph 48R, the practitioner shall obtain an understanding of internal control relevant to the engagement. This includes evaluating the design of those controls relevant to the engagement and determining whether they have been implemented by performing procedures in addition to inquiry of the personnel responsible for the underlying subject matter. (Ref: Para. A101) Obtaining Evidence Risk Consideration and Responses to Risks Limited Assurance 50L. Based on the practitioner’s understanding (see paragraph 48L), the practitioner shall: (Ref: Para. A103-A107) (a) Identify areas where a material deviation is likely to arise; (b) Design and perform procedures to address the areas identified in paragraph 50L(a) and to obtain limited assurance to support the practitioner’s conclusion. Determining Whether Additional Procedures Are Necessary in a Limited Assurance Engagement 51L. If the practitioner becomes aware of a matter(s) that causes the practitioner to believe that that a material deviation may exist, the practitioner shall design and perform additional procedures to obtain further evidence until the practitioner is able to: (Ref: Para. A108-A112) (a) Conclude that the matter is not likely to cause a material deviation; or (b) Determine that the matter(s) causes a material deviation. Reasonable Assurance 50R. Based on the practitioner’s understanding (see paragraph 48R) the practitioner shall: (Ref: Para. A103-A105) (a) Identify and assess the risks of material deviation; and (b) Design and perform procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. In addition to any other procedures on the underlying subject matter that are appropriate in the engagement circumstances, the practitioner’s procedures shall include obtaining sufficient appropriate evidence as to the operating effectiveness of relevant controls over the underlying subject matter when: (i) The practitioner’s assessment of the risks of material deviation includes an expectation that controls are operating effectively; or (ii) Procedures other than testing of controls cannot alone provide sufficient appropriate evidence. Revision of Risk Assessment in a Reasonable Assurance Engagement 51R. The practitioner’s assessment of the risks of material deviation may change during the course of the engagement as additional evidence is obtained. In circumstances where the practitioner obtains evidence that is inconsistent with the evidence on which the practitioner originally based the assessment of the risks of material deviation, the practitioner shall revise the assessment and modify the planned procedures accordingly. (Ref: Para. A107) Attestation and Direct Engagements | 107 52. When designing and performing procedures, the practitioner shall consider the relevance and reliability of the information to be used as evidence. If: (a) Evidence obtained from one source is inconsistent with that obtained from another; or (b) The practitioner has doubts about the reliability of information to be used as evidence, the practitioner shall determine what changes or additions to procedures are necessary to resolve the matter, and shall consider the effect of the matter, if any, on other aspects of the engagement. 53. The practitioner shall consider whether individual deviations identified during the engagement (other than those that are clearly trivial) have characteristics, for example, a root cause or a problematic pattern, that indicate the aggregate effect of individual deviations is likely to be material. (Ref: Para A113) Work Performed by a Practitioner’s Expert 54. When the work of a practitioner’s expert is to be used, the practitioner shall also: (Ref: Para. A114-A118) (a) Evaluate whether the practitioner’s expert has the necessary competence, capabilities and objectivity for the practitioner’s purposes. In the case of a practitioner’s external expert, the evaluation of objectivity shall include inquiry regarding interests and relationships that may create a threat to that expert’s objectivity; (Ref: Para. A119-A122) (b) Obtain a sufficient understanding of the field of expertise of the practitioner’s expert; (Ref: Para. A123-A124) (c) Agree with the practitioner’s expert on the nature, scope and objectives of that expert’s work; and (Ref: Para. A125-A126) (d) Evaluate the adequacy of the practitioner’s expert’s work for the practitioner’s purposes. (Ref: Para. A127-A128) Work Performed by Another Practitioner, a Responsible Party’s Expert, or an Internal Auditor (Ref: Para. A129) 55. When the work of another practitioner is to be used, the practitioner shall evaluate whether that work is adequate for the practitioner’s purposes. 56. If information to be used as evidence has been prepared using the work of a responsible party’s expert, the practitioner shall, to the extent necessary having regard to the significance of that expert’s work for the practitioner’s purposes: (a) Evaluate the competence, capabilities and objectivity of that expert; 108 | Exposure Draft – June and 2014 (b) Obtain an understanding of the work of that expert; and (c) Evaluate the appropriateness of that expert’s work as evidence. 57. If the practitioner plans to use the work of the internal audit function, the practitioner shall evaluate the following: (a) The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors; (b) The level of competence of the internal audit function; (c) Whether the internal audit function applies a systematic and disciplined approach, including quality control; and (d) Whether the work of the internal audit function is adequate for the purposes of the engagement. Written Representations 58. The practitioner shall request from the appropriate party(ies) a written representation that it has provided the practitioner with all information of which the appropriate party(ies) is aware that has been requested or that could materially affect the findings or the conclusion of the engagement report. (Ref: Para. A51-A52 and A130-A132) 59. If, in addition to required representations, the practitioner determines that it is necessary to obtain one or more written representations to support other evidence relevant to the underlying subject matter, the practitioner shall request such other written representations. 60. When written representations relate to matters that are material to the underlying subject matter, the practitioner shall: (a) Evaluate their reasonableness and consistency with other evidence obtained, including other representations (oral or written); and (b) Consider whether those making the representations can be expected to be well-informed on the particular matters. 61. The date of the written representations shall be as near as practicable to, but not after, the date of the assurance report. Requested Written Representations Not Provided or Not Reliable 62. If one or more of the requested written representations are not provided or the practitioner concludes that there is sufficient doubt about the competence, integrity, ethical values, or diligence of those providing the written Attestation and Direct Engagements | 109 representations, or that the written representations are otherwise not reliable, the practitioner shall: (Ref: Para. A133) (a) Discuss the matter with the appropriate party(ies); (b) Reevaluate the integrity of those from whom the representations were requested or received and evaluate the effect that this may have on the reliability of representations (oral or written) and evidence in general; and (c) Take appropriate actions, including determining the possible effect on the conclusion in the assurance report. Subsequent Events 63. When relevant to the engagement, the practitioner shall consider the effect on the underlying subject matter and on the assurance report of events up to the date of the assurance report, and shall respond appropriately to facts that become known to the practitioner after the date of the assurance report that, had they been known to the practitioner at that date, may have caused the practitioner to amend the assurance report. The extent of consideration of subsequent events depends on the potential for such events to affect the underlying subject matter and to affect the appropriateness of the practitioner’s conclusion. However, the practitioner has no responsibility to perform any procedures regarding the underlying subject matter after the date of the assurance report. (Ref: Para. A134-A135) Other Information 64. When documents containing the assurance report include other information, the practitioner shall read that other information to identify material inconsistencies, if any, with the assurance report and, if on reading that other information, the practitioner: (Ref: Para. A136) (a) Identifies a material inconsistency between that other information and the assurance report; or (b) Becomes aware of a material misstatement of fact in that other information that is unrelated to matters appearing in the assurance report, the practitioner shall discuss the matter with the appropriate party(ies) and take further action as appropriate. Forming the Assurance Conclusion 65. The practitioner shall evaluate the sufficiency and appropriateness of the evidence obtained in the context of the engagement and, if necessary in the circumstances, attempt to obtain further evidence. The practitioner shall consider all relevant evidence, regardless of whether it appears to corroborate or to contradict the measurement or evaluation of the underlying subject matter 110 | Exposure Draft – June and 2014 against the applicable criteria. If the practitioner is unable to obtain necessary further evidence, the practitioner shall consider the implications for the practitioner’s conclusion in paragraph 66. (Ref: Para. A140-A146) 66. The practitioner shall form a conclusion about whether the underlying subject matter is free from material deviation. In forming that conclusion, the practitioner shall consider the practitioner’s conclusion in paragraph 65 regarding the sufficiency and appropriateness of evidence obtained and an evaluation of whether identified deviations are material, individually or in the aggregate. (Ref: Para. A3 and A147-A148) 67. If the practitioner is unable to obtain sufficient appropriate evidence, a scope limitation exists and the practitioner shall express a qualified conclusion, disclaim a conclusion, or withdraw from the engagement, where withdrawal is possible under applicable law or regulation, as appropriate. (Ref: Para. A149A151) Preparing the Assurance Report 68. The assurance report shall be in writing and shall contain a clear expression of the practitioner’s conclusion about the underlying subject matter. (Ref: Para. A2, A152-A154) 69. The practitioner’s conclusion shall be clearly separated from information or explanations that are not intended to affect the practitioner’s conclusion, including any findings related to particular aspects of the engagements, recommendations or additional information included in the assurance report. The wording used shall make it clear that findings, recommendations or additional information is not intended to detract from the practitioner’s conclusion. (Ref: Para. A152-A154) Assurance Report Content 70. The assurance report shall include, at a minimum, the following basic elements: (a) A title that clearly indicates the report is an independent assurance report. (Ref: Para. A155) (b) An addressee. (Ref: Para. A156) (c) An identification or description of the level of assurance obtained by the practitioner, and the underlying subject matter. (Ref: Para. A157) (d) Identification or description of the applicable criteria. (Ref: Para. A137A139, A158) (e) Where appropriate, a description of any significant inherent limitations associated with the measurement or evaluation of the underlying subject matter against the applicable criteria. (Ref: Para. A159) Attestation and Direct Engagements | 111 (f) When the applicable criteria are designed for a specific purpose, a statement alerting readers to this fact and that, as a result, the practitioner’s report may not be suitable for another purpose. (Ref: Para. A160-A161) (g) A statement to identify the responsible party, and to describe their responsibilities and the practitioner’s responsibilities. (Ref: Para. A162) (h) A statement that the engagement was performed in accordance with this CSAE or, where there is a subject-matter-specific CSAE, that CSAE. (Ref: Para. A163-A164) (i) A statement that the firm of which the practitioner is a member applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1. (Ref: Para. A165) (j) A statement that the practitioner complies with the independence and other ethical requirements of the relevant rules of professional conduct/code of ethics in Canada applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding. (Ref: Para. A166) (k) An informative summary of the work performed as the basis for the practitioner’s conclusion. In the case of a limited assurance engagement, an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion. In a limited assurance engagement, the summary of the work performed shall state that: (i) The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and (ii) Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed. (Ref: Para. A6, A167-A171) 112 | Exposure Draft – June and 2014 (l) The practitioner’s conclusion: (Ref: Para. A2, A172-A176) (i) When appropriate, the conclusion shall inform the intended users of the context in which the practitioner’s conclusion is to be read. (Ref: Para. A173) (ii) In a reasonable assurance engagement, the conclusion shall be expressed in a positive form. (Ref: Para. A172) (iii) In a limited assurance engagement, the conclusion shall be expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause the practitioner to believe that there is a material deviation in the underlying subject matter. (Ref: Para. A174) (iv) The conclusion in (ii) or (iii) shall be phrased using appropriate words for the underlying subject matter and applicable criteria given the engagement circumstances. (v) When the practitioner expresses a modified conclusion, the assurance report shall contain: a. A section that provides a description of the matter(s) giving rise to the modification; and b. A section that contains the practitioner’s modified conclusion.(Ref: Para. A176) (m) The practitioner’s signature. (Ref: Para. A177) (n) The date of the assurance report. The assurance report shall be dated no earlier than the date on which the practitioner has obtained the evidence on which the practitioner’s conclusion is based including receipt of the written representations under paragraphs 58 and 59. (Ref: Para. A178) (o) The location in the jurisdiction where the practitioner practices. Reference to the Practitioner’s Expert in the Assurance Report 71. If the practitioner refers to the work of a practitioner’s expert in the assurance report, the wording of that report shall not imply that the practitioner’s responsibility for the conclusion expressed in that report is reduced because of the involvement of that expert. (Ref: Para. A179-A181) Assurance Report Prescribed by Law or Regulation 72. If the practitioner is required by law or regulation to use a specific layout or wording of the assurance report, the assurance report shall refer to this or other CSAEs only if the assurance report includes, at a minimum, each of the elements identified in paragraph 70. Attestation and Direct Engagements | 113 Unmodified and Modified Conclusions 73. The practitioner shall express an unmodified conclusion when the practitioner concludes: (a) In the case of a reasonable assurance engagement, that the underlying subject matter complies, in all material respects, with the applicable criteria; or (b) In the case of a limited assurance engagement, that, based on the procedures performed and evidence obtained, no matter(s) has come to the attention of the practitioner that causes the practitioner to believe that the underlying subject matter does not conform, in all material respects, with the applicable criteria. 74. If the practitioner considers it necessary to communicate a matter other than those specifically related to the underlying subject matter that, in the practitioner’s judgment, is relevant to intended users’ understanding of the engagement, the practitioner’s responsibilities or the assurance report, and this is not prohibited by law or regulation, the practitioner shall do so in a paragraph in the assurance report, with an appropriate heading, that clearly indicates the practitioner’s conclusion is not modified in respect of the matter. 75. The practitioner shall express a modified conclusion in the following circumstances: (a) When, in the practitioner’s professional judgment, a scope limitation exists and the effect of the matter could be material (see paragraph 67). In such cases, the practitioner shall express a qualified conclusion or a disclaimer of conclusion. (b) When, in the practitioner’s professional judgment, there is a material deviation in underlying subject matter. In such cases, the practitioner shall express a qualified conclusion or adverse conclusion. (Ref: Para. A184) 76. The practitioner shall express a qualified conclusion when, in the practitioner’s professional judgment, the effects, or possible effects, of a matter are not so material and pervasive as to require an adverse conclusion or a disclaimer of conclusion. A qualified conclusion shall be expressed as being “except for” the effects, or possible effects, of the matter to which the qualification relates. (Ref: Para. A182-A183) 77. If the practitioner expresses a modified conclusion because of a scope limitation but is also aware of a matter(s) that causes a material deviation in the underlying subject matter, the practitioner shall include in the assurance report a clear description of both the scope limitation and the matter(s) that causes the material deviation. 114 | Exposure Draft – June and 2014 Other Communication Responsibilities 78. The practitioner shall consider whether, pursuant to the terms of the engagement and other engagement circumstances, any matter has come to the attention of the practitioner that is to be communicated with the responsible party, the measurer or evaluator, the engaging party, those charged with governance or others. (Ref: Para. A185) Documentation 79. The practitioner shall prepare on a timely basis engagement documentation that provides a record of the basis for the assurance report that is sufficient and appropriate to enable an experienced practitioner, having no previous connection with the engagement, to understand: (Ref: Para. A186-A190) (a) The nature, timing and extent of the procedures performed to comply with relevant CSAEs and applicable legal and regulatory requirements; (b) The results of the procedures performed, and the evidence obtained; and (c) Significant matters arising during the engagement, the conclusions reached thereon, and significant professional judgments made in reaching those conclusions. 80. If the practitioner identifies information that is inconsistent with the practitioner’s final conclusion regarding a significant matter, the practitioner shall document how the practitioner addressed the inconsistency. 81. The practitioner shall assemble the engagement documentation in an engagement file and complete the administrative process of assembling the final engagement file on a timely basis after the date of the assurance report. (Ref: Para. A191-A192) 82. After the assembly of the final engagement file has been completed, the practitioner shall not delete or discard engagement documentation of any nature before the end of its retention period. (Ref: Para. A193) 83. If the practitioner finds it necessary to amend existing engagement documentation or add new engagement documentation after the assembly of the final engagement file has been completed, the practitioner shall, regardless of the nature of the amendments or additions, document: (a) The specific reasons for making the amendments or additions; and (b) When, and by whom, they were made and reviewed. *** Attestation and Direct Engagements | 115 Application and Other Explanatory Material Introduction (Ref: Para. 8) A1. In a consulting engagement, the practitioner applies technical skills, education, observations, experiences, and knowledge. Consulting engagements involve an analytical process that typically involves some combination of activities relating to: objective-setting, fact-finding, definition of problems or opportunities, evaluation of alternatives, development of recommendations including actions, communication of results, and sometimes implementation and follow-up. Reports (if issued) are generally written in a narrative (or “long form”) style. Generally the work performed is only for the use and benefit of the client. The nature and scope of work is determined by agreement between the practitioner and the client. Any service that meets the definition of an assurance engagement is not a consulting engagement but an assurance engagement. Objectives (Ref: Para. 12(b), 68, 70(l)) A1A. The practitioner in a value-for-money (performance) audit would normally describe in the report the overall objective of the engagement and the underlying subject matter so that the reader can understand and properly interpret the results. The practitioner’s conclusion relates to the overall objective and scope of the engagement and follows logically from the description of the criteria and findings. A2. Where the underlying subject matter is made up of a number of aspects, separate conclusions may be provided on each aspect. All such separate conclusions do not need to relate to the same level of assurance. Rather, each conclusion is expressed in the form that is appropriate to either a reasonable assurance engagement or a limited assurance engagement. References in this CSAE to the conclusion in the assurance report include each conclusion when separate conclusions are provided. Definitions The Nature, Timing and Extent of Procedures in Limited and Reasonable Assurance Engagements (Ref: Para. 14(a)(i), 66) A3. Because the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the practitioner performs in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement. The primary differences between the procedures for a reasonable assurance engagement and a limited assurance engagement include: (a) The emphasis placed on the nature of various procedures as a source of evidence will likely differ, depending on the engagement circumstances. For 116 | Exposure Draft – June and 2014 example, the practitioner may judge it to be appropriate in the circumstances of a particular limited assurance engagement to place relatively greater emphasis on inquiries of the entity’s personnel and analytical procedures, and relatively less emphasis, if any, on testing of controls and obtaining evidence from external sources than may be the case for a reasonable assurance engagement. (b) In a limited assurance engagement, the practitioner may: • Select less items for examination; or • Perform fewer procedures (for example, performing only analytical procedures in circumstances when, in a reasonable assurance engagement, both analytical procedures and other procedures would be performed). (c) In a reasonable assurance engagement, analytical procedures performed in response to the engagement risk involve developing expectations that are sufficiently precise to identify material deviations. In a limited assurance engagement, analytical procedures may be designed to support expectations regarding the direction of trends, relationships and ratios rather than to identify deviations with the level of precision expected in a reasonable assurance engagement. (d) Further, when significant fluctuations, relationships or differences are identified, appropriate evidence in a limited assurance engagement may be obtained by making inquiries and considering responses received in the light of known engagement circumstances. (e) In addition, when undertaking analytical procedures in a limited assurance engagement the practitioner may, for example, use data that is more highly aggregated, such as quarterly data rather than monthly data, or use data that has not been subjected to separate procedures to test its reliability to the same extent as it would be for a reasonable assurance engagement. A Level of Assurance that is Meaningful (Ref: Para. 14(a)(i)(b)) A4. The level of assurance the practitioner plans to obtain is not ordinarily susceptible to quantification, and whether it is meaningful is a matter of professional judgment for the practitioner to determine in the circumstances of the engagement. In a limited assurance engagement, the practitioner performs procedures that are limited compared with those necessary in a reasonable assurance engagement but are nonetheless planned to obtain a level of assurance that is meaningful. To be meaningful, the level of assurance obtained by the practitioner is clearly more than inconsequential. Attestation and Direct Engagements | 117 A5. Across the range of all limited assurance engagements, what is meaningful assurance can vary from just above assurance that is clearly more than inconsequential to just below reasonable assurance. What is meaningful in a particular engagement represents a judgment within that range that depends on the engagement circumstances, including the information needs of intended users as a group, the criteria, and the underlying subject matter of the engagement. A6. Because the level of assurance obtained by the practitioner in limited assurance engagements varies, the practitioner’s report contains an informative summary of the procedures performed, recognizing that an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion (see paragraphs 70(k) and A167-A171). A7. Some of the factors that may be relevant in determining what constitutes meaningful assurance in a specific engagement include, for example: • The characteristics of the underlying subject matter and the criteria, and whether there are any relevant subject-matter-specific CSAEs. • Instructions or other indications from the engaging party about the nature of the assurance the engaging party is seeking the practitioner to obtain. For example, the terms of the engagement may stipulate particular procedures that the engaging party considers necessary or particular aspects of the underlying subject matter on which the engaging party would like the practitioner to focus procedures. However, the practitioner may consider that other procedures are required to obtain sufficient appropriate evidence to obtain meaningful assurance. • Generally accepted practice, if it exists, with respect to assurance engagements for the particular underlying subject matter, or similar or related subject matter. • The information needs of intended users as a group. Generally, the greater the consequence to intended users of receiving an inappropriate conclusion when there is a material deviation in the underlying subject matter, the greater the assurance that would be needed in order to be meaningful to them. For example, in some cases, the consequence to intended users of receiving an inappropriate conclusion may be so great that a reasonable assurance engagement is needed for the practitioner to obtain assurance that is meaningful in the circumstances. • The expectation by intended users that the practitioner will form the limited assurance conclusion on the underlying subject matter within a short timeframe and at a low cost. 118 | Exposure Draft – June and 2014 Examples of Direct Engagements (Ref: Para. 14(a)(ii)) A8. The underlying subject matter of a direct engagement may be similar to that of an attestation engagement. However, in an attestation engagement, the practitioner is reporting on a statement or report prepared by the entity, while this is not the case in a direct engagement. Examples of engagements that may be conducted under this CSAE include: (a) Sustainability – An engagement to obtain assurance on the sustainability performance of the entity. (b) Compliance with law or regulation – An engagement to obtain assurance on whether the entity has complied with relevant laws or regulations. (c) Value-for-money – An engagement to obtain assurance on any or all of the following. • The adequacy of management systems controls and practices, including those intended to control and safeguard assets, to ensure due regard to economy, efficiency and effectiveness. • The extent to which resources have been managed with due regard to economy and efficiency. • The extent to which programs, operations or activities of an entity have been effective. Assurance Skills and Techniques (Ref: Para. 14(b)) A9. Assurance skills and techniques include: • Application of professional skepticism and professional judgment; • Planning and performing an assurance engagement, including obtaining and evaluating evidence; • Understanding information systems and the role and limitations of internal control; • Linking the consideration of materiality and engagement risks to the nature, timing and extent of procedures; • Applying procedures as appropriate to the engagement (which may include inquiry, inspection, recalculation, reperformance, observation, confirmation, and analytical procedures); and • Systematic documentation practices and assurance report-writing skills. Attestation and Direct Engagements | 119 Criteria (Ref: Para. 14(c), Appendix 1) A10. Suitable criteria are required for reasonably consistent measurement or evaluation of an underlying subject matter within the context of professional judgment. Without the frame of reference provided by suitable criteria, any conclusion is open to individual interpretation and misunderstanding. The suitability of criteria is context-sensitive; that is, it is determined in the context of the engagement circumstances. Even for the same underlying subject matter there can be different criteria, which will yield a different measurement or evaluation. For example, a practitioner might select, as one of the criteria for the underlying subject matter of customer satisfaction, the number of customer complaints resolved to the acknowledged satisfaction of the customer; another practitioner might select the number of repeat purchases in the three months following the initial purchase. The suitability of criteria is not affected by the level of assurance; that is, if criteria are unsuitable for a reasonable assurance engagement, they are also unsuitable for a limited assurance engagement, and vice versa. Suitable criteria include, when relevant, criteria for presentation and disclosure. Engagement Risk (Ref: Para. 14(g)) A11. Engagement risk does not refer to, or include, the practitioner’s business risks, such as loss from litigation, adverse publicity, or other events arising in connection with particular subject matter information. A12. In general, engagement risk can be represented by the following components, although not all of these components will necessarily be present or significant for all assurance engagements: (a) Risks that the practitioner does not directly influence, which in turn consist of: (i) The susceptibility of the underlying subject matter to a material deviation before consideration of any related controls applied by the appropriate party(ies) (inherent risk); and (ii) The risk that a material deviation that occurs in the underlying subject matter will not be prevented, or detected and corrected, on a timely basis by the appropriate party(ies)’s internal control (control risk); and (b) The risk that the practitioner does directly influence, which is the risk that the procedures performed by the practitioner will not detect a material deviation (detection risk). 120 | Exposure Draft – June and 2014 A13. The degree to which each of these components is relevant to the engagement is affected by the engagement circumstances, in particular: • The nature of the underlying subject matter. For example, the concept of control risk may be more useful when the underlying subject matter relates to an entity’s performance than when it relates to information about the effectiveness of a control or the existence of a physical condition. • Whether a reasonable assurance or a limited assurance engagement is being performed. For example, in limited assurance engagements, the practitioner may often decide to obtain evidence by means other than testing of controls, in which case consideration of control risk may be less relevant than in a reasonable assurance engagement on the same underlying subject matter. The consideration of risks is a matter of professional judgment, rather than a matter capable of precise measurement. A14. Reducing engagement risk to zero is very rarely attainable or cost beneficial and, therefore, “reasonable assurance” is less than absolute assurance, as a result of factors such as the following: • The use of selective testing. • The inherent limitations of internal control. • The fact that much of the evidence available to the practitioner is persuasive rather than conclusive. • The use of professional judgment in gathering and evaluating evidence and forming conclusions based on that evidence. • In some cases, the characteristics of the underlying subject matter when evaluated or measured against the criteria. The Engaging Party (Ref: Para. 14(h), Appendix 1) A15. The engaging party may be, under different circumstances, management or those charged with governance of the responsible party, a legislature, the intended users, or a different third party. Intended Users (Ref: Para. 14(n), Appendix 1) A16. In some cases, there may be intended users other than those to whom the assurance report is addressed. The practitioner may not be able to identify all those who will read the assurance report, particularly where a large number of people have access to it. In such cases, particularly where possible users are likely to have a broad range of interests in the underlying subject matter, intended users may be limited to major stakeholders with significant and Attestation and Direct Engagements | 121 common interests. Intended users may be identified in different ways, for example, by agreement between the practitioner and the responsible party or engaging party, or by law or regulation. A17. Intended users or their representatives may be directly involved with the practitioner and the responsible party (and the engaging party if different) in determining the requirements of the engagement. Regardless of the involvement of others however, and unlike an agreed-upon procedures engagement (which involves reporting factual findings based upon procedures agreed with the engaging party and any appropriate third parties, rather than a conclusion): (a) The practitioner is responsible for determining the nature, timing and extent of procedures; and (b) The practitioner may need to perform additional procedures if information comes to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based (see paragraphs A110-A112). A18. In some cases, intended users (for example, bankers and regulators) impose a requirement on, or request the appropriate party(ies) to arrange for an assurance engagement to be performed for a specific purpose. When engagements use criteria that are designed for a specific purpose, paragraph 70(f) requires a statement alerting readers to this fact. In addition, the practitioner may consider it appropriate to indicate that the assurance report is intended solely for specific users. Depending on the engagement circumstances, this may be achieved by restricting the distribution or use of the assurance report (see paragraphs A160-A161). The Appropriate Party(ies) (Ref: Para. 15, Appendix 1) A19. The roles played by the responsible party and the engaging party can vary (see paragraph A35). Also, management and governance structures vary by jurisdiction and by entity, reflecting influences such as different cultural and legal backgrounds, and size and ownership characteristics. Such diversity means that it is not possible for CSAEs to specify for all engagements the person(s) with whom the practitioner is to inquire of, request representations from, or otherwise communicate with in all circumstances. In some cases, for example, when the appropriate party(ies) is only part of a complete legal entity, identifying the appropriate management personnel or those charged with governance with whom to communicate will require the exercise of professional judgment to determine which person(s) have the appropriate responsibilities for, and knowledge of, the matters concerned. 122 | Exposure Draft – June and 2014 Conduct of a Direct Engagement in Accordance with CSAEs Complying with Standards that Are Relevant to the Engagement (Ref: Para. 1, 7, 17) A20. This CSAE includes requirements that apply to all direct engagements, including engagements in accordance with a subject-matter-specific CSAE. In some cases, a subject-matter-specific CSAE is also relevant to the engagement. A subject-matter-specific CSAE is relevant to the engagement when the CSAE is in effect, the subject matter of the CSAE is relevant to the engagement, and the circumstances addressed by the CSAE exist. A21. The CASs, Section 8200 and Section 8500 have been written for audits and reviews of historical financial information, respectively, and do not apply to other assurance engagements. They may, however, provide guidance in relation to the engagement process generally for practitioners undertaking an assurance engagement in accordance with this CSAE. Text of a CSAE (Ref: Para. 14, 18) A22. CSAEs contain the objectives of the practitioner in following the CSAEs, and requirements designed to enable the practitioner to meet those objectives. In addition, they contain related guidance in the form of application and other explanatory material, introductory material that provides context relevant to a proper understanding of the CSAE, and definitions. A23. The objectives in a CSAE provide the context in which the requirements of the CSAE are set, and are intended to assist in: (a) Understanding what is to be accomplished; and (b) Deciding whether more needs to be done to achieve the objectives. The proper application of the requirements of a CSAE by the practitioner is expected to provide a sufficient basis for the practitioner’s achievement of the objectives. However, because the circumstances of assurance engagements vary widely and all such circumstances cannot be anticipated in the CSAEs, the practitioner is responsible for determining the procedures necessary to fulfill the requirements of relevant CSAEs and to achieve the objectives stated therein. In the circumstances of an engagement, there may be particular matters that require the practitioner to perform procedures in addition to those required by relevant CSAEs to meet the objectives specified in those CSAEs. A24. The requirements of CSAEs are expressed using “shall.” A25. Where necessary, the application and other explanatory material provides further explanation of the requirements and guidance for carrying them out. In particular, it may: Attestation and Direct Engagements | 123 (a) Explain more precisely what a requirement means or is intended to cover; and (b) Include examples that may be appropriate in the circumstances. While such guidance does not in itself impose a requirement, it is relevant to the proper application of the requirements. The application and other explanatory material may also provide background information on matters addressed in a CSAE. Where appropriate, additional considerations specific to public sector audit organizations or smaller firms are included within the application and other explanatory material. These additional considerations assist in the application of the requirements in the CSAEs. They do not, however, limit or reduce the responsibility of the practitioner to apply and comply with the requirements in a CSAE. A26. Definitions are provided in the CSAEs to assist in the consistent application and interpretation of the CSAEs, and are not intended to override definitions that may be established for other purposes, whether by laws, regulations or otherwise. A27. Appendices form part of the application and other explanatory material. The purpose and intended use of an appendix are explained in the body of the related CSAE or within the title and introduction of the appendix itself. Complying with Relevant Requirements (Ref: Para. 19) A28. Although some procedures are required only for reasonable assurance engagements, they may nonetheless be appropriate in some limited assurance engagements. Ethical Requirements (Ref: Para. 5, 22, 24) A29. In Canada, relevant ethical requirements for public accountants establish the following fundamental principles with which the practitioner is required to comply: (a) Maintenance of the reputation of profession; (b) Integrity and due care; (c) Objectivity; (d) Professional competence; (e) Compliance with professional standards; (f) Confidentiality of information; (g) Conflict of interest; (h) Duty to report breach of rules of professional conduct; 124 | Exposure Draft – June and 2014 (i) Handling of trust funds and other property; (j) Handling of property of others; (k) Unlawful activity; (l) Fee quotations; (m) Contingent fees; (n) Payment of receipt of commissions; and (o) Advertising and promotion, including solicitation and endorsements. A30. In Canada, relevant ethical requirements for public accountants also provide a conceptual framework for professional accountants to apply to: (a) Identify threats to compliance with the fundamental principles. Threats fall into one or more of the following categories: (i) Self-interest; (ii) Self-review; (iii) Advocacy; (iv) Familiarity; and (v) Intimidation; (b) Evaluate the significance of the threats identified; and (c) Apply safeguards, when necessary, to eliminate the threats or reduce them to an acceptable level. Safeguards are necessary when the professional accountant determines that the threats are not at a level at which a reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances available to the professional accountant at that time, that compliance with the fundamental principles is not compromised. A31. In Canada, relevant ethical requirements for public accountants require the practitioner to be and remain free of any influence, interest or relationship, in respect of the client’s affairs, which impairs the practitioner’s professional judgment or objectivity or which, in the view of a reasonable observer, would impair the practitioner’s professional judgment or objectivity. Independence safeguards the ability to form an assurance conclusion without being affected by influences that might compromise that conclusion. Independence enhances the ability to act with integrity, to be objective and to maintain an attitude of professional skepticism. Matters addressed in the relevant ethical requirements for public accountants with respect to independence include: Attestation and Direct Engagements | 125 A32. • Financial interests; • Loans and guarantees; • Business relationships; • Family and personal relationships; • Employment with assurance clients; • Recent service with an assurance client; • Serving as a director or officer of an assurance client; • Long association of senior personnel with assurance clients; • Provision of non-assurance services to assurance clients; • Fees (relative size, overdue, and contingent fees); and • Gifts and hospitality. Professional requirements, or requirements imposed by law or regulation, are at least as demanding as relevant rules of professional conduct/code of ethics in Canada, applicable to the practice of public accounting directed to practitioners and other members of assurance teams when they address all the matters referred to in paragraphs A29-A31 and impose obligations that achieve the aims of the requirements set out in the relevant rules of professional conduct/code of ethics in Canada applicable to the practice of public accounting and related to assurance engagements. Acceptance and Continuance Preconditions for the Direct Engagement (Ref: Para. 26) A33. In a public sector environment, some of the preconditions for an assurance engagement may be assumed to be present, for example: (a) The roles and responsibilities of public sector audit organizations and the government entities scoped into assurance engagements are assumed to be appropriate because they are generally set out in legislation; (b) Public sector audit organizations’ right of access to the information necessary to perform the engagement is often set out in legislation; (c) The practitioner’s conclusion, in the form appropriate to either a reasonable assurance engagement or a limited assurance engagement, is generally required by legislation to be contained in a written report; and (d) A rational purpose is generally present because the engagement is set out in legislation. 126 | Exposure Draft – June and 2014 A34. If suitable criteria are not available for all of the underlying subject matter but the practitioner can identify one or more aspects of the underlying subject matter for which those criteria are suitable, then an assurance engagement can be performed with respect to that aspect of the underlying subject matter in its own right. In such cases, the assurance report may need to clarify that the report does not relate to the original underlying subject matter in its entirety. Roles and Responsibilities (Ref: Para. 14(n), 14(q), 14(u), 15, 26(a), Appendix 1) A35. All assurance engagements have at least three parties: the responsible party, the practitioner, and the intended users. A36. Evidence that the appropriate relationship exists with respect to responsibility for the underlying subject matter may be obtained through an acknowledgement provided by the responsible party. Such an acknowledgement also establishes a basis for a common understanding of the responsibilities of the responsible party and the practitioner. A written acknowledgement is the most appropriate form of documenting the responsible party’s understanding. In the absence of a written acknowledgement of responsibility, it may still be appropriate for the practitioner to accept the engagement if, for example, other sources, such as legislation or a contract, indicate responsibility. In other cases, it may be appropriate to decline the engagement depending on the circumstances, or to disclose the circumstances in the assurance report. Appropriateness of the Underlying Subject Matter (Ref: Para. 26(b)(i)) A37. An appropriate underlying subject matter is identifiable and capable of consistent measurement or evaluation against the applicable criteria and can be subjected to procedures for obtaining sufficient appropriate evidence to support a reasonable assurance or limited assurance conclusion, as appropriate. A38. The appropriateness of an underlying subject matter is not affected by the level of assurance; that is, if an underlying subject matter is not appropriate for a reasonable assurance engagement, it is also not appropriate for a limited assurance engagement, and vice versa. A39. Different underlying subject matters have different characteristics, including the degree to which information about them is qualitative versus quantitative, objective versus subjective, historical versus prospective, and relates to a point in time or covers a period. Such characteristics affect the: (a) Precision with which the underlying subject matter can be measured or evaluated against criteria; and (b) The persuasiveness of available evidence. Attestation and Direct Engagements | 127 A40. Identifying such characteristics and considering their effects assist the practitioner when assessing the appropriateness of the underlying subject matter and also in determining the content of the assurance report (see paragraph A157). A41. In some cases, the assurance engagement may relate to only one part of a broader underlying subject matter. For example, the practitioner may be engaged to report on one aspect of an entity’s contribution to sustainable development, such as a number of programs run by an entity that have positive environmental outcomes. In determining whether the engagement exhibits the characteristic of having an appropriate underlying subject matter in such cases, it may be appropriate for the practitioner to consider whether the practitioner’s report is likely to meet the information needs of intended users as a group, and whether there are more significant programs with less favorable outcomes that the entity has not asked the practitioner to report upon. Suitability and Availability of the Criteria Suitability of the criteria (Ref: Para. 26(b)(ii)) A42. Suitable criteria exhibit the following characteristics: (a) Relevance: Relevant criteria result in a practitioner’s report that assists decision-making by the intended users. (b) Completeness: Criteria are complete when they do not omit relevant factors that could reasonably be expected to affect decisions of the intended users. Complete criteria include, where relevant, benchmarks for presentation and disclosure. (c) Reliability: Reliable criteria allow reasonably consistent measurement or evaluation of the underlying subject matter when used in similar circumstances by different practitioners. (d) Neutrality: Neutral criteria result in in a practitioner’s report that is free from bias as appropriate in the engagement circumstances. (e) Understandability: Understandable criteria result in a practitioner’s report that can be understood by the intended users. A43. Vague descriptions of expectations or judgments of an individual’s experiences do not constitute suitable criteria. A44. The suitability of criteria for a particular engagement depends on whether they reflect the above characteristics. The relative importance of each characteristic to a particular engagement is a matter of professional judgment. Further, criteria may be suitable for a particular set of engagement circumstances, but may not be suitable for a different set of engagement circumstances. For example, 128 | Exposure Draft – June and 2014 reporting to governments or regulators may require the use of a particular set of criteria, but these criteria may not be suitable for a broader group of users. A45. Criteria can be selected or developed in a variety of ways, for example, they may be: • Embodied in law or regulation. • Issued by authorized or recognized bodies of experts that follow a transparent due process. • Developed collectively by a group that does not follow a transparent due process. • Published in scholarly journals or books. • Developed for sale on a proprietary basis. • Specifically designed for the purpose of measuring or evaluating the underlying subject matter in the particular circumstances of the engagement. How criteria are developed may affect the work that the practitioner carries out to assess their suitability. A46. In some cases, law or regulation prescribes the criteria to be used for the engagement. In the absence of indications to the contrary, such criteria are presumed to be suitable, as are criteria issued by authorized or recognized bodies of experts that follow a transparent due process if they are relevant to the intended users’ information needs. Such criteria are known as established criteria. Even when established criteria exist for an underlying subject matter, specific users may agree to other criteria for their specific purposes. For example, various frameworks can be used as established criteria for evaluating the effectiveness of internal control. Specific users may, however, develop a more detailed set of criteria that meet their specific information needs in relation to, for example, prudential supervision. In such cases, the assurance report: (a) Alerts readers that the practitioner has used special purpose criteria in measuring or evaluating the underlying subject matter and that, as a result, the practitioner’s report may not be suitable for another purpose (see paragraph 70(f)); and (b) May note, when it is relevant to the circumstances of the engagement, that the criteria are not embodied in law or regulation, or issued by authorized or recognized bodies of experts that follow a transparent due process. A47. If criteria are specifically designed for the purpose of measuring and evaluating the underlying subject matter in the particular circumstances of the engagement, they are not suitable if they result in an assurance report that is Attestation and Direct Engagements | 129 misleading to the intended users. It is desirable for the intended users or the engaging party to acknowledge that specifically developed criteria are suitable for the intended users’ purposes. The absence of such an acknowledgement may affect what is to be done to assess the suitability of the criteria, and the information provided about the criteria in the assurance report. Availability of the criteria (Ref: Para. 26(b)(iii)) A48. Criteria need to be available to the intended users to allow them to understand how the underlying subject matter has been measured or evaluated. Criteria are made available to the intended users in one or more of the following ways: (a) Publicly. (b) Through inclusion in a clear manner in the assurance report (see paragraph A158). (c) By general understanding, for example, the criterion for measuring time in hours and minutes. A49. Criteria may also be available only to intended users, for example, the terms of a contract, or criteria issued by an industry association that are available only to those in the industry because they are relevant only to a specific purpose. When this is the case, paragraph 71(f) requires a statement alerting readers to this fact. In addition, the practitioner may consider it appropriate to indicate that the assurance report is intended solely for specific users (see paragraph A160A161). Access to Evidence (Ref: Para. 26(b)(iv)) Quantity and quality of available evidence A50. The quantity or quality of available evidence is affected by: (a) The characteristics of the underlying subject matter. For example, less objective evidence might be expected when the underlying subject matter deals with matters that are future oriented rather than historical; and (b) Other circumstances, such as when evidence that could reasonably be expected to exist is not available because of, for example, the timing of the practitioner’s appointment, an entity’s document retention policy, inadequate information systems, or a restriction imposed by the responsible party. Ordinarily, evidence will be persuasive rather than conclusive. Access to records (Ref: Para. 58) A51. Seeking the agreement of the appropriate party(ies) that it acknowledges and understands its responsibility to provide the practitioner with the following may 130 | Exposure Draft – June and 2014 assist the practitioner in determining whether the engagement exhibits the characteristic of access to evidence: (a) Access to all information of which the appropriate party(ies) is aware that is relevant to the engagement, such as records, documentation and other matters; (b) Additional information that the practitioner may request from the appropriate party(ies) for the purpose of the engagement; and (c) Unrestricted access to persons from the appropriate party(ies) from whom the practitioner determines it necessary to obtain evidence. A52. The nature of relationships between the responsible party and the engaging party may affect the practitioner’s ability to access records, documentation and other information the practitioner may require as evidence to complete the engagement. The nature of such relationships may therefore be a relevant consideration when determining whether or not to accept the engagement. Examples of some circumstances in which the nature of these relationships may be problematic are included in paragraph A133. A Rational Purpose (Ref: Para. 26(b)(vi)) A53. In determining whether the engagement has a rational purpose, relevant considerations may include the following: • The intended users of the assurance report (particularly, when the criteria are designed for a special purpose). A further consideration is the likelihood that the assurance report will be used or distributed more broadly than to intended users. • Whether aspects of the underlying subject matter are expected to be excluded from the assurance engagement, and the reason for their exclusion. • The characteristics of the relationships between the responsible party and the engaging party, whether the responsible party consents to the use to be made of the practitioner’s report and whether it will have the opportunity to review that report before it is made available to intended users. • Whether the practitioner discussed the criteria to be applied to measure or evaluate the underlying subject matter with other parties, and what the degree of judgment is in applying them. The engagement is more likely to have a rational purpose if the intended users were involved in selecting the criteria. • Any significant limitations on the scope of the practitioner’s work. Attestation and Direct Engagements | 131 • Whether the practitioner believes the engaging party intends to associate the practitioner’s name with the underlying subject matter in an inappropriate manner. Agreeing on the Terms of the Engagement (Ref: Para. 29) A54. It is in the interests of both the engaging party and the practitioner that the practitioner communicates in writing the agreed terms of the engagement before the commencement of the engagement to help avoid misunderstandings. The form and content of the written agreement or contract will vary with the engagement circumstances. For example, if law or regulation prescribes in sufficient detail the terms of the engagement, the practitioner need not record them in a written agreement, except for the fact that such law or regulation applies and that the appropriate party acknowledges and understands its responsibilities under such law or regulation. A55. Law or regulation, particularly in the public sector, may mandate the appointment of a practitioner and set out specific powers, such as the power to access an appropriate party(ies)’s records and other information, and responsibilities, such as requiring the practitioner to report directly to a minister, the legislature or the public if an appropriate party(ies) attempts to limit the scope of the engagement. Acceptance of a Change in the Terms of the Engagement (Ref: Para. 31) A56. A change in circumstances that affects the intended users’ requirements, or a misunderstanding concerning the nature of the engagement, may justify a request for a change in the engagement, for example, from an assurance engagement to a non-assurance engagement, or from a reasonable assurance engagement to a limited assurance engagement. An inability to obtain sufficient appropriate evidence to form a reasonable assurance conclusion is not an acceptable reason to change from a reasonable assurance engagement to a limited assurance engagement. Quality Control Professional Accountants in Public Practice (Ref: Para. 22, 33(a)-(b)) A57. This CSAE has been written in the context of a range of measures taken to ensure the quality of assurance engagements undertaken by professional accountants in public practice. Such measures include: • Competency requirements such as education and experience benchmarks for entry to membership, and ongoing continuing professional development as well as life-long learning requirements. 132 | Exposure Draft – June and 2014 • Quality control policies and procedures implemented across the firm. CSQC 1 applies to all firms of professional accountants in respect of assurance engagements. • Comprehensive rules of professional conduct/code of ethics, including detailed independence requirements, founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behavior. Firm Level Quality Control (Ref: Para. 5(b), 33(a)) A58. CSQC 1 deals with the firm’s responsibilities to establish and maintain its system of quality control for assurance engagements. It sets out the responsibilities of the firm for establishing policies and procedures designed to provide it with reasonable assurance that the firm and its personnel comply with relevant ethical requirements, including those pertaining to independence. Compliance with CSQC 1 requires, among other things, that the firm establish and maintain a system of quality control that includes policies and procedures addressing each of the following elements, and that it documents its policies and procedures and communicates them to the firm’s personnel: (a) Leadership responsibilities for quality within the firm; (b) Relevant ethical requirements; (c) Acceptance and continuance of client relationships and specific engagements; (d) Human resources; (e) Engagement performance; and (f) Monitoring. A59. Other professional requirements, or requirements in law or regulation that deal with the firm’s responsibilities to establish and maintain a system of quality control, are at least as demanding as CSQC 1 when they address all the matters referred to in the preceding paragraph and impose obligations on the firm that achieve the aims of the requirements set out in CSQC 1. A60. The actions of the engagement partner, and appropriate messages to the other members of the engagement team, in the context of the engagement partner taking responsibility for the overall quality on each engagement, emphasize the fact that quality is essential in performing an assurance engagement, and the importance to the quality of the assurance engagement of: (a) Performing work that complies with professional standards and regulatory and legal requirements. Attestation and Direct Engagements | 133 (b) Complying with the firm’s quality control policies and procedures as applicable. (c) Issuing a report for the engagement that is appropriate in the circumstances. (d) The engagement team’s ability to raise concerns without fear of reprisals. A61. An effective system of quality control includes a monitoring process designed to provide the firm with reasonable assurance that its policies and procedures relating to the system of quality control are relevant, adequate and operating effectively. A62. Unless information provided by the firm or other parties suggests otherwise, the engagement team is entitled to rely on the firm’s system of quality control. For example, the engagement team may rely on the firm’s system of quality control in relation to: (a) Competence of personnel through their recruitment and formal training. (b) Independence through the accumulation and communication of relevant independence information. (c) Maintenance of client relationships through acceptance and continuance systems. (d) Adherence to regulatory and legal requirements through the monitoring process. In considering deficiencies identified in the firm’s system of quality control that may affect the assurance engagement, the engagement partner may consider measures taken by the firm to rectify those deficiencies. A63. A deficiency in the firm’s system of quality control does not necessarily indicate that an assurance engagement was not performed in accordance with professional standards and applicable legal and regulatory requirements, or that the practitioner’s report was not appropriate. Skills, Knowledge and Experience with Respect to the Underlying Subject Matter and Its Measurement or Evaluation (Ref: Para. 33(c)) A64. A practitioner may be requested to perform assurance engagements with respect to a wide range of underlying subject matter. Some may require specialized skills and knowledge beyond those ordinarily possessed by a particular individual. A65. The relevant rules of professional conduct/code of ethics in Canada require the professional accountant in public practice to agree to provide only those services that the professional accountant in public practice is competent to 134 | Exposure Draft – June and 2014 perform. The practitioner has sole responsibility for the assurance conclusion expressed, and that responsibility is not reduced by the practitioner’s use of the work of a practitioner’s expert. Nonetheless, if the practitioner using the work of a practitioner’s expert, having followed this CSAE, concludes that the work of that expert is adequate for the practitioner’s purposes, the practitioner may accept that expert’s findings or conclusions in the expert’s field as appropriate evidence. Assignment of the Team Collective Competence and Capabilities (Ref: Para. 34) A66. CSQC 1 requires the firm to establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm with reasonable assurance that it will only undertake or continue relationships and engagements where the firm is competent to perform the engagement and has the capabilities, including time and resources, to do so. 4 Practitioner’s Expert (Ref: Para. 34(b)(i)) A67. Some of the assurance work may be performed by a multi-disciplinary team that includes one or more practitioner’s expert. For example, a practitioner’s expert may be needed to assist the practitioner in obtaining an understanding of the underlying subject matter and other engagement circumstances or in one or more of the matters mentioned in paragraph 48R (in the case of a reasonable assurance engagement) or 48L (in the case of a limited assurance engagement). A68. When the work of a practitioner’s expert is to be used, it may be appropriate to perform some of the procedures required by paragraph 54 at the engagement acceptance or continuance stage. Other Practitioners (Ref: Para. 34(b)(ii)) A69. The underlying subject matter may include matters upon which another practitioner may have expressed a conclusion. The practitioner may decide to use the evidence on which that other practitioner’s conclusion is based to provide evidence regarding the underlying subject matter. A70. The work of another practitioner may be used in relation to, for example, an underlying subject matter at a remote location or in a foreign jurisdiction. Such other practitioners are not part of the engagement team. Relevant considerations when the engagement team plans to use the work of another practitioner may include: 4 CSQC 1, paragraph 26 Attestation and Direct Engagements | 135 • Whether the other practitioner understands and complies with the ethical requirements that are relevant to the engagement and, in particular, is independent. • The other practitioner’s professional competence. • The extent of the engagement team’s involvement in the work of the other practitioner. • Whether the other practitioner operates in a regulatory environment that actively oversees that practitioner. Review Responsibilities (Ref: Para. 35(c)) A71. Under CSQC 1, the firm’s review responsibility policies and procedures are determined on the basis that the work of less experienced team members is reviewed by more experienced team members. 5 Engagement Quality Control Review (Ref: Para. 38(b)) A72. Other matters that may be considered in an engagement quality control review include: (a) The engagement team’s evaluation of the firm’s independence in relation to the engagement; (b) Whether appropriate consultation has taken place on matters involving differences of opinion or other difficult or contentious matters, and the conclusions arising from those consultations; and (c) Whether engagement documentation selected for review reflects the work performed in relation to the significant judgments and supports the conclusions reached. Professional Skepticism and Professional Judgment Professional Skepticism (Ref: Para. 39) A73. Professional skepticism is an attitude that includes being alert to, for example: • Evidence that is inconsistent with other evidence obtained. • Information that calls into question the reliability of documents and responses to inquiries to be used as evidence. • Circumstances that suggest the need for procedures in addition to those required by relevant CSAEs. • Conditions that may indicate likely deviation. 5 CSQC 1, paragraph 33 136 | Exposure Draft – June and 2014 A74. Maintaining professional skepticism throughout the engagement is necessary if the practitioner is, for example, to reduce the risks of: • Overlooking unusual circumstances. • Overgeneralizing when drawing conclusions from observations. • Using inappropriate assumptions in determining the nature, timing and extent of the procedures, and evaluating the results thereof. A75. Professional skepticism is necessary to the critical assessment of evidence. This includes questioning inconsistent evidence and the reliability of documents and responses to inquiries. It also includes consideration of the sufficiency and appropriateness of evidence obtained in the light of the circumstances. A76. Unless the engagement involves assurance about whether documents are genuine, the practitioner may accept records and documents as genuine unless the practitioner has reason to believe the contrary. Nevertheless, the practitioner is required by paragraph 52 to consider the reliability of information to be used as evidence. A77. The practitioner cannot be expected to disregard past experience of the honesty and integrity of those who provide evidence. Nevertheless, a belief that those who provide evidence are honest and have integrity does not relieve the practitioner of the need to maintain professional skepticism. Professional Judgment (Ref: Para. 40) A78. Professional judgment is essential to the proper conduct of an assurance engagement. This is because interpretation of relevant ethical requirements and relevant CSAEs and the informed decisions required throughout the engagement cannot be made without the application of relevant training, knowledge, and experience to the facts and circumstances. Professional judgment is necessary in particular regarding decisions about: • Materiality and engagement risk. • The nature, timing and extent of procedures used to meet the requirements of relevant CSAEs and obtain evidence. • Evaluating whether sufficient appropriate evidence has been obtained, and whether more needs to be done to achieve the objectives of this CSAE and any relevant subject-matter-specific CSAE. In particular, in the case of a limited assurance engagement, professional judgment is required in evaluating whether a meaningful level of assurance has been obtained. • The appropriate conclusions to draw based on the evidence obtained. Attestation and Direct Engagements | 137 A79. The distinguishing feature of the professional judgment expected of a practitioner is that it is exercised by a practitioner whose training, knowledge and experience have assisted in developing the necessary competencies to achieve reasonable judgments. A80. The exercise of professional judgment in any particular case is based on the facts and circumstances that are known by the practitioner. Consultation on difficult or contentious matters during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm assist the practitioner in making informed and reasonable judgments. A81. Professional judgment can be evaluated based on whether the judgment reached reflects a competent application of assurance and measurement or evaluation principles and is appropriate in the light of, and consistent with, the facts and circumstances that were known to the practitioner up to the date of the practitioner’s assurance report. A82. Professional judgment needs to be exercised throughout the engagement. It also needs to be appropriately documented. In this regard, paragraph 79 requires the practitioner to prepare documentation sufficient to enable an experienced practitioner, having no previous connection with the engagement, to understand the significant professional judgments made in reaching conclusions on significant matters arising during the engagement. Professional judgment is not to be used as the justification for decisions that are not otherwise supported by the facts and circumstances of the engagement or sufficient appropriate evidence. Planning and Performing the Engagement Planning (Ref: Para. 42, 45) A83. Planning involves the engagement partner, other key members of the engagement team, and any key practitioner’s external experts developing an overall strategy for the scope, emphasis, timing and conduct of the engagement, and an engagement plan, consisting of a detailed approach for the nature, timing and extent of procedures to be performed, and the reasons for selecting them. Adequate planning helps to devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis and properly organize and manage the engagement in order for it to be performed in an effective and efficient manner. Adequate planning also assists the practitioner to properly assign work to engagement team members, and facilitates the direction, supervision, and the review of their work. Further, it assists, where applicable, the coordination of work done by other practitioners and experts. The nature and extent of planning activities will vary with the engagement circumstances, for example, the complexity of the underlying 138 | Exposure Draft – June and 2014 subject matter and criteria. Examples of the main matters that may be considered include: • The characteristics of the engagement that define its scope, including the terms of the engagement and the characteristics of the underlying subject matter and the criteria. • The expected timing and the nature of the communications required. • The results of engagement acceptance activities and, where applicable, whether knowledge gained on other engagements performed by the engagement partner for the appropriate party(ies) is relevant. • The engagement process. • The practitioner’s understanding of the appropriate party(ies) and its environment, including the risks of material deviation. • Identification of intended users and their information needs, and consideration of materiality and the components of engagement risk. • The extent to which the risk of fraud is relevant to the engagement. • The nature, timing and extent of resources necessary to perform the engagement, such as personnel and expertise requirements, including the nature and extent of experts’ involvement. • A84. The impact of the internal audit function on the engagement. The practitioner may decide to discuss elements of planning with the appropriate party(ies) to facilitate the conduct and management of the engagement (for example, to coordinate some of the planned procedures with the work of the appropriate party(ies)’s personnel). Although these discussions often occur, the overall engagement strategy and the engagement plan remain the practitioner’s responsibility. When discussing matters included in the overall engagement strategy or engagement plan, care is required in order not to compromise the effectiveness of the engagement. For example, discussing the nature and timing of detailed procedures with the appropriate party(ies) may compromise the effectiveness of the engagement by making the procedures too predictable. A85. Planning is not a discrete phase, but rather a continual and iterative process throughout the engagement. As a result of unexpected events, changes in conditions, or evidence obtained, the practitioner may need to revise the overall strategy and engagement plan, and thereby the resulting planned nature, timing and extent of procedures. A86. In smaller or less complex engagements, the entire engagement may be conducted by a very small engagement team, possibly involving the Attestation and Direct Engagements | 139 engagement partner (who may be a sole practitioner) working without any other engagement team members. With a smaller team, co-ordination of, and communication between, team members is easier. Establishing the overall engagement strategy in such cases need not be a complex or time-consuming exercise; it varies according to the size of the entity, the complexity of the engagement, including the underlying subject matter and criteria, and the size of the engagement team. For example, in the case of a recurring engagement, a brief memorandum prepared at the completion of the previous period, based on a review of the working papers and highlighting issues identified in the engagement just completed, updated in the current period based on discussions with appropriate parties, can serve as the documented engagement strategy for the current engagement. A87. If in the circumstances described in paragraph 45, the practitioner continues with the engagement: (a) When, in the practitioner’s professional judgment, the unsuitable applicable criteria or inappropriate underlying subject matter is likely to mislead the intended users, a qualified conclusion or adverse conclusion would be appropriate in the circumstances depending on how material and pervasive the matter is. (b) In other cases, a qualified conclusion or a disclaimer of conclusion would be appropriate depending on, in the practitioner’s professional judgment, how material and pervasive the matter is. Materiality (Ref: Para. 14(v), 46) A88. Professional judgments about materiality are made in light of surrounding circumstances, but are not affected by the level of assurance; that is, for the same intended users and purpose, materiality for a reasonable assurance engagement is the same as for a limited assurance engagement because materiality is based on the information needs of intended users. A89. The applicable criteria may discuss the concept of materiality and thereby provide a frame of reference for the practitioner in considering materiality for the engagement. Although applicable criteria may discuss materiality in different terms, the concept of materiality generally includes the matters discussed in paragraphs A88-A96. If the applicable criteria do not include a discussion of the concept of materiality, these paragraphs provide the practitioner with a frame of reference. A90. Deviations, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence relevant decisions of intended users taken on the basis of the practitioner’s report. The practitioner’s consideration of materiality is a matter of professional 140 | Exposure Draft – June and 2014 judgment, and is affected by the practitioner’s perception of the common information needs of intended users as a group. In this context, it is reasonable for the practitioner to assume that intended users: (a) Have a reasonable knowledge of the underlying subject matter, and a willingness to study the underlying subject matter with reasonable diligence; (b) Understand that the practitioner has applied appropriate levels of materiality in measuring or evaluating and obtaining assurance regarding the underlying subject matter, and have an understanding of any materiality concepts included in the applicable criteria; (c) Understand any inherent uncertainties involved in the measuring or evaluating the underlying subject matter; and (d) Make reasonable decisions on the basis of the underlying subject matter taken as a whole. Unless the engagement has been designed to meet the particular information needs of specific users, the possible effect of deviations on specific users, whose information needs may vary widely, is not ordinarily considered (see also paragraphs A16-A18). A91. Materiality is considered in the context of qualitative factors and, when applicable, quantitative factors. The relative importance of qualitative factors and quantitative factors when considering materiality in a particular engagement is a matter for the practitioner’s professional judgment. A92. Qualitative factors may include such things as: • The number of persons or entities affected by the subject matter. • The interaction between, and relative importance of, various components of the underlying subject matter when it is made up of multiple components, such as when the practitioner’s report includes numerous performance indicators. • The wording chosen with respect to information that is expressed in narrative form. • The nature of a deviation, for example, the nature of observed deviations from a control relevant to the underlying subject matter. • Whether a deviation affects compliance with law or regulation. • Whether a deviation is the result of an intentional act or is unintentional. • Whether a deviation is significant having regard to the practitioner’s understanding of known previous communications to users, for example, in Attestation and Direct Engagements | 141 relation to the expected outcome of the measurement or evaluation of the underlying subject matter. • Whether a deviation relates to the relationship between the responsible party, and the engaging party or their relationship with other parties. • When a threshold or benchmark value has been identified, whether the result of the procedure deviates from that value. • When the underlying subject matter is a governmental program or public sector entity, whether a particular aspect of the program or entity is significant with regard to the nature, visibility and sensitivity of the program or entity. • When the engagement is intended to provide a conclusion on compliance with law or regulation, the seriousness of the consequences of noncompliance. A93. Quantitative factors relate to the magnitude of deviations, if any, that are: • Expressed numerically; or • Otherwise related to numerical values (for example, the number of observed deviations from a control). A94. When quantitative factors are applicable, planning the engagement solely to detect individually material deviations overlooks the aggregate effect of detected individually immaterial deviations or possible undetected deviations. It may therefore be appropriate when planning the nature, timing and extent of procedures for the practitioner to determine a quantity less than materiality as a basis for determining the nature, timing and extent of procedures. A95. Materiality relates to the information covered by the assurance report. Therefore, when the engagement covers some, but not all, aspects of the information communicated about an underlying subject matter, materiality is considered in relation to only that portion that is covered by the engagement. A96. Concluding on the materiality of the deviations identified as a result of the procedures performed requires professional judgment. For example: • The applicable criteria for a value-for-money engagement for a hospital’s emergency department may include the speed of the services provided, the quality of the services, the number of patients treated during a shift, and benchmarking the cost of the services against other similar hospitals. If three of these applicable criteria are satisfied but one applicable criterion is not satisfied by a small margin, then professional judgment is needed to conclude whether the hospital’s emergency department represents value for money as a whole. 142 | Exposure Draft – June and 2014 • In a compliance engagement, the entity may have complied with nine provisions of the relevant law or regulation, but did not comply with one provision. Professional judgment is needed to conclude whether the entity complied with the relevant law or regulation as a whole. For example, the practitioner may consider the significance of the provision with which the entity did not comply, as well as the relationship of that provision to the remaining provisions of the relevant law or regulation. Understanding the Engagement Circumstances (Ref: Para. 47-49R) A97. Discussions between the engagement partner and other key members of the engagement team, and any key practitioner’s external experts, about the susceptibility of the underlying subject matter to material deviation, and the application of the applicable criteria to the facts and circumstances of the engagement, may assist the engagement team in planning and performing the engagement. It is also useful to communicate relevant matters to members of the engagement team, and to any practitioner’s external experts not involved in the discussion. A98. Obtaining an understanding of the underlying subject matter and other engagement circumstances provides the practitioner with a frame of reference for exercising professional judgment throughout the engagement, for example, when: • Considering the characteristics of the underlying subject matter; • Assessing the suitability of criteria; • Considering the factors that, in the practitioner’s professional judgment, are significant in directing the engagement team’s efforts, including where special consideration may be necessary (for example, the need for specialized skills or the work of an expert); • Establishing and evaluating the continued appropriateness of quantitative materiality levels (where appropriate), and considering qualitative materiality factors; • Developing expectations for use when performing analytical procedures; • Designing and performing procedures; and • Evaluating evidence, including the reasonableness of the oral and written representations received by the practitioner. A99. The practitioner ordinarily has a lesser depth of understanding of the underlying subject matter and other engagement circumstances than the responsible party. The practitioner also ordinarily has a lesser depth of understanding of the underlying subject matter and other engagement circumstances for a limited Attestation and Direct Engagements | 143 assurance engagement than for a reasonable assurance engagement. For example, while in some limited assurance engagements the practitioner may obtain an understanding of internal control relevant to the underlying subject matter, this is often not the case. A100. In a limited assurance engagement, identifying the areas where a material deviation is likely to arise enables the practitioner to focus procedures on those areas. For example, in an engagement when the underlying subject matter deals with the entity’s sustainability, the practitioner may focus on certain areas of sustainability. The practitioner may design and perform procedures over the entire underlying subject matter when it consists of only a single area or when obtaining assurance over all areas of the underlying subject matter is necessary to obtain meaningful assurance. A101. In a reasonable assurance engagement, understanding internal control relevant to the underlying subject matter assists the practitioner in identifying the types of deviations and factors that affect the risks of material deviation. The practitioner is required to evaluate the design of relevant controls and determines whether they have been implemented, by performing procedures in addition to inquiry of the responsible party. Professional judgment is needed to determine which controls are relevant in the engagement circumstances. A102. In both a reasonable assurance and a limited assurance engagement, the results of the entity’s risk assessment process may also assist the practitioner in obtaining an understanding of the underlying subject matter and other engagement circumstances. Obtaining Evidence The Nature, Timing and Extent of Procedures (Ref: Para. 50L-51R) A103. The practitioner chooses a combination of procedures to obtain reasonable assurance or limited assurance, as appropriate. The procedures listed below may be used, for example, for planning or performing the engagement, depending on the context in which they are applied by the practitioner: 144 | Exposure Draft – June and 2014 • Inspection; • Observation; • Confirmation; • Recalculation; • Reperformance; • Analytical procedures; and • Inquiry. A104. Factors that may affect the practitioner’s selection of procedures include the nature of the underlying subject matter; the level of assurance to be obtained; and the information needs of the intended users and the engaging party, including relevant time and cost constraints. A105. In some cases, a subject-matter-specific CSAE may include requirements that affect the nature, timing and extent of procedures. For example, a subjectmatter-specific CSAE may describe the nature or extent of particular procedures to be performed or the level of assurance expected to be obtained in a particular type of engagement. Even in such cases, determining the exact nature, timing and extent of procedures is a matter of professional judgment and will vary from one engagement to the next. A106. In some engagements, the practitioner may not identify any areas where a material deviation is likely to arise. Irrespective of whether any such areas have been identified, the practitioner designs and performs procedures to obtain a meaningful level of assurance. A107. An assurance engagement is an iterative process, and information may come to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to perform additional procedures. Determining Whether Additional Procedures Are Necessary in a Limited Assurance Engagement (Ref: Para. 51L) A108. The practitioner may become aware of deviations that are, after applying professional judgment, clearly not indicative of the existence of material deviations. The following examples illustrate when additional procedures may not be needed because, in the practitioner’s professional judgment, the identified deviations are clearly not indicative of the existence of material deviations: • If materiality is 10,000 units, and the practitioner judges that a potential error of 100 units may exist, then additional procedures would not generally be required, unless there are other qualitative factors that need to be considered, because the risk of a material deviation is likely to be acceptable in the engagement circumstances. • If, in performing a set of procedures over an area where material deviations are likely, a response to one inquiry among many was not as expected, additional procedures may not be needed if the risk of a material deviation is, nevertheless, at a level that is acceptable in the circumstances of the engagement in light of the results of other procedures. Attestation and Direct Engagements | 145 A109. The practitioner may become aware of a matter(s) that causes the practitioner to believe that a material deviation exists. The following examples illustrate when additional procedures may be needed as the identified deviations indicate the existence of material deviations in the underlying subject matter: • When performing analytical procedures, the practitioner may identify a fluctuation or relationship that is inconsistent with other relevant information or that differs significantly from expected amounts or ratios. • The practitioner may become aware of a potential material deviation from reviewing external sources. • If the applicable criteria permit a 10% error rate and, based on a particular test, the practitioner discovered a 9% error rate, then additional procedures may be needed because the risk of a material deviation may not be acceptable in the engagement circumstances. • If the results of analytical procedures are within expectations but are, nevertheless, close to exceeding the expected value, then additional procedures may be needed because the risk of a material deviation may not be acceptable in the engagement circumstances. A110. If, in the case of a limited assurance engagement, a matter(s) comes to the practitioner’s attention that causes the practitioner to believe that a material deviation exists, the practitioner is required by paragraph 51L to design and perform additional procedures. Additional procedures may include, for example, inquiring of the appropriate party(ies) or performing other procedures as appropriate in the circumstances. A111. If, having performed the additional procedures required by paragraph 51L, the practitioner is not able to obtain sufficient appropriate evidence to either conclude that the matter(s) is not likely to cause a material deviation or determine that it does cause a material deviation, a scope limitation exists and paragraph 67 applies. A112. The practitioner’s judgment about the nature, timing and extent of additional procedures that are needed to obtain evidence to either conclude that a material deviation is not likely, or determine that a material deviation exists, is, for example, guided by: • Information obtained from the practitioner’s evaluation of the results of the procedures already performed; • The practitioner’s updated understanding of the underlying subject matter and other engagement circumstances obtained throughout the course of the engagement; and 146 | Exposure Draft – June and 2014 • The practitioner’s view on the persuasiveness of evidence needed to address the matter that causes the practitioner to believe that the underlying subject matter may contain a material deviation. Considering Detected Deviations Individually and in Aggregate (Ref: Para. 53, 66) A113. “Clearly trivial” is not another expression for “not material.” Matters that are clearly trivial will be of a wholly different (smaller) order of importance than materiality determined in accordance with paragraph 46, and will be matters that are clearly inconsequential, whether taken individually or in aggregate and whether judged by any criteria of size, nature or circumstances. When there is any uncertainty about whether one or more items are clearly trivial, the matter is considered not to be clearly trivial. Considerations When a Practitioner’s Expert Is Involved on the Engagement Nature, Timing and Extent of Procedures (Ref: Para. 54) A114. The following matters are often relevant when determining the nature, timing and extent of procedures with respect to the work of a practitioner’s expert when some of the assurance work is performed by one or more practitioner’s expert (see paragraph A67): (a) The significance of that expert’s work in the context of the engagement (see also paragraphs A115-A116); (b) The nature of the matter to which that expert’s work relates; (c) The risks of material deviation in the matter to which that expert’s work relates; (d) The practitioner’s knowledge of and experience with previous work performed by that expert; and (e) Whether that expert is subject to the practitioner’s firm’s quality control policies and procedures (see also paragraphs A117-A118). Integrating the work of a practitioner’s expert A115. Assurance engagements may be performed on a wide range of underlying subject matters that require specialized skills and knowledge beyond those possessed by the engagement partner and other members of the engagement team and for which the work of a practitioner’s expert is used. In some situations, the practitioner’s expert will be consulted to provide advice on an individual matter, but the greater the significance of the practitioner’s expert’s work in the context of the engagement, the more likely it is that expert will work as part of a multi-disciplinary team comprising subject matter experts and other assurance personnel. The more that expert’s work is integrated in nature, timing and extent with the overall work effort, the more important effective two-way Attestation and Direct Engagements | 147 communication is between the practitioner’s expert and other assurance personnel. Effective two-way communication facilitates the proper integration of the expert’s work with the work of others on the engagement. A116. As noted in paragraph A68, when the work of a practitioner’s expert is to be used, it may be appropriate to perform some of the procedures required by paragraph 54 at the engagement acceptance or continuance stage. This is particularly so when the work of the practitioner’s expert will be fully integrated with the work of other assurance personnel and when the work of the practitioner’s expert is to be used in the early stages of the engagement, for example, during initial planning and risk assessment. The practitioner’s firm’s quality control policies and procedures A117. A practitioner’s internal expert may be a partner or staff, including temporary staff, of the practitioner’s firm and, therefore, subject to the quality control policies and procedures of that firm in accordance with CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. Alternatively, a practitioner’s internal expert may be a partner or staff, including temporary staff, of a network firm, which may share common quality control policies and procedures with the practitioner’s firm. A practitioner’s external expert is not a member of the engagement team and is not subject to quality control policies and procedures in accordance with CSQC 1. A118. Engagement teams are entitled to rely on the firm’s system of quality control, unless information provided by the firm or other parties suggests otherwise. The extent of that reliance will vary with the circumstances, and may affect the nature, timing and extent of the practitioner’s procedures with respect to such matters as: • Competence and capabilities, through recruitment and training programs. • The practitioner’s evaluation of the objectivity of the practitioner’s expert. Practitioner’s internal experts are subject to relevant ethical requirements, including those pertaining to independence. • The practitioner’s evaluation of the adequacy of the practitioner’s expert’s work. For example, the firm’s training programs may provide the practitioner’s internal experts with an appropriate understanding of the interrelationship of their expertise with the evidence gathering process. Reliance on such training and other firm processes, such as protocols for scoping the work of the practitioner’s internal experts, may affect the nature, timing and extent of the practitioner’s procedures to evaluate the adequacy of the practitioner’s expert’s work. 148 | Exposure Draft – June and 2014 • Adherence to regulatory and legal requirements, through monitoring processes. • Agreement with the practitioner’s expert. Such reliance does not reduce the practitioner’s responsibility to meet the requirements of this CSAE. The Competence, Capabilities and Objectivity of the Practitioner’s Expert (Ref: Para. 54(a)) A119. Information regarding the competence, capabilities and objectivity of a practitioner’s expert may come from a variety of sources, such as: • Personal experience with previous work of that expert. • Discussions with that expert. • Discussions with other practitioners or others who are familiar with that expert’s work. • Knowledge of that expert’s qualifications, membership of a professional body or industry association, license to practice, or other forms of external recognition. • Published papers or books written by that expert. • The firm’s quality control policies and procedures (see also paragraphs A117-A118). A120. While practitioner’s experts do not require the same proficiency as the practitioner in performing all aspects of an assurance engagement, a practitioner’s expert whose work is used may need a sufficient understanding of relevant CSAEs to enable that expert to relate the work assigned to them to the engagement objective. A121. The evaluation of the significance of threats to objectivity and of whether there is a need for safeguards may depend upon the role of the practitioner’s expert and the significance of the expert’s work in the context of the engagement. There may be some circumstances in which safeguards cannot reduce threats to an acceptable level, for example, if a proposed practitioner’s expert is an individual who has played a significant role in assisting the responsible party in making decisions regarding aspects of the underlying subject matter. Attestation and Direct Engagements | 149 A122. When evaluating the objectivity of a practitioner’s external expert, it may be relevant to: • Inquire of the appropriate party(ies) about any known interests or relationships that the appropriate party(ies) has with the practitioner’s external expert that may affect that expert’s objectivity. • Discuss with that expert any applicable safeguards, including any professional requirements that apply to that expert, and evaluate whether the safeguards are adequate to reduce threats to an acceptable level. Interests and relationships that it may be relevant to discuss with the practitioner’s expert include: o Financial interests. o Business and personal relationships. o Provision of other services by the expert, including by the organization in the case of an external expert that is an organization. In some cases, it may also be appropriate for the practitioner to obtain a written representation from the practitioner’s external expert about any interests or relationships with the appropriate party(ies) of which that expert is aware. Obtaining an Understanding of the Field of Expertise of the Practitioner’s Expert (Ref: Para. 54(b)) A123. Having a sufficient understanding of the field of expertise of the practitioner’s expert enables the practitioner to: (a) Agree with the practitioner’s expert the nature, scope and objectives of that expert’s work for the practitioner’s purposes; and (b) Evaluate the adequacy of that work for the practitioner’s purposes. A124. Aspects of the practitioner’s expert’s field relevant to the practitioner’s understanding may include: • Whether that expert’s field has areas of specialty within it that are relevant to the engagement. • Whether any professional or other standards and regulatory or legal requirements apply. • What assumptions and methods, including models where applicable, are used by the practitioner’s expert, and whether they are generally accepted within that expert’s field and appropriate in the circumstances of the engagement. 150 | Exposure Draft – June and 2014 • The nature of internal and external data or information the practitioner’s expert uses. Agreement with the Practitioner’s Expert (Ref: Para. 54(c)) A125. It may be appropriate for the practitioner’s agreement with the practitioner’s expert to also include matters such as the following: (a) The respective roles and responsibilities of the practitioner and that expert; (b) The nature, timing and extent of communication between the practitioner and that expert, including the form of any report to be provided by that expert; and (c) The need for the practitioner’s expert to observe confidentiality requirements. A126. The matters noted in paragraph A118 may affect the level of detail and formality of the agreement between the practitioner and the practitioner’s expert, including whether it is appropriate that the agreement be in writing. The agreement between the practitioner and a practitioner’s external expert is often in the form of an engagement letter. Evaluating the Adequacy of the Practitioner’s Expert’s Work (Ref: Para. 54(d)) A127. The following matters may be relevant when evaluating the adequacy of the practitioner’s expert’s work for the practitioner’s purposes: (a) The relevance and reasonableness of that expert’s findings or conclusions, and their consistency with other evidence; (b) If that expert’s work involves use of significant assumptions and methods, the relevance and reasonableness of those assumptions and methods in the circumstances; and (c) If that expert’s work involves the use of source data that is significant to that expert’s work, the relevance, completeness, and accuracy of that source data. A128. If the practitioner determines that the work of the practitioner’s expert is not adequate for the practitioner’s purposes, options available to the practitioner include: (a) Agreeing with that expert on the nature and extent of further work to be performed by that expert; or (b) Performing additional procedures appropriate to the circumstances. Attestation and Direct Engagements | 151 Work Performed by Another Practitioner, a Responsible Party’s Expert or an Internal Auditor (Ref: Para. 55-57) A129. While paragraphs A114-A128 have been written in the context of using work performed by a practitioner’s expert, they may also provide helpful guidance with respect to using work performed by another practitioner, a responsible party or an internal auditor. Written Representations (Ref: Para. 58) A130. Written confirmation of oral representations reduces the possibility of misunderstandings between the practitioner and the appropriate party(ies). The person(s) from whom the practitioner requests written representations will ordinarily be a member of senior management or those charged with governance depending on, for example, the management and governance structure of the appropriate party(ies), which may vary by jurisdiction and by entity, reflecting influences such as different cultural and legal backgrounds, and size and ownership characteristics. A131. Other written representations requested may include the following: • That the appropriate party(ies) has communicated to the practitioner all deficiencies in internal control relevant to the engagement that are not clearly trivial and inconsequential of which the appropriate party(ies) is aware; and • That the responsible party acknowledges responsibility for the underlying subject matter. A132. Representations by the appropriate party(ies) cannot replace other evidence the practitioner could reasonably expect to be available. Although written representations provide necessary evidence, they do not provide sufficient appropriate evidence on their own about any of the matters with which they deal. Furthermore, the fact that the practitioner has received reliable written representations does not affect the nature or extent of other evidence that the practitioner obtains. Requested Written Representations Not Provided or Not Reliable (Ref: Para. 62) A133. Circumstances in which the practitioner may not be able to obtain requested written representations include, for example, when: • An intended user engages the practitioner to undertake an assurance engagement on the underlying subject matter but does not have a relationship with the responsible party of the kind necessary to ensure that party responds to the practitioner’s request for a written representation. 152 | Exposure Draft – June and 2014 • The assurance engagement is undertaken against the wishes of the responsible party. This may be the case when, for example, the engagement is undertaken pursuant to a court order, or a public sector practitioner is required by the legislature or other competent authority to undertake a particular engagement. In these or similar circumstances, the practitioner may not have access to the evidence needed to support the practitioner’s conclusion. If this is the case, paragraph 67 of this CSAE applies. Subsequent Events (Ref: Para. 63) A134. Consideration of subsequent events in some assurance engagements may not be relevant because of the nature of the underlying subject matter. For example, when the engagement requires a conclusion about the accuracy of a statistical return at a point in time, events occurring between that point in time and the date of the assurance report may not affect the conclusion or require disclosure in the return or the assurance report. A135. As noted in paragraph 63, the practitioner has no responsibility to perform any procedures regarding the underlying subject matter after the date of the practitioner’s report. However, if, after the date of the practitioner’s report, a fact becomes known to the practitioner that, had it been known to the practitioner at the date of the practitioner’s report, may have caused the practitioner to amend the report, the practitioner may need to discuss the matter with the appropriate party(ies) or take other action as appropriate in the circumstances. Other Information (Ref: Para. 64) A136. Further actions that may be appropriate if the practitioner identifies a material inconsistency or becomes aware of a material misstatement of fact include, for example: • Requesting the appropriate party(ies) to consult with a qualified third party, such as the appropriate party(ies)’s legal counsel. • Obtaining legal advice about the consequences of different courses of action. • Communicating with third parties (for example, a regulator). • Withholding the assurance report. • Withdrawing from the engagement, where withdrawal is possible under applicable law or regulation. • Describing the material inconsistency in the assurance report. Attestation and Direct Engagements | 153 Description of Applicable Criteria (Ref: Para. 70(d)) A137. The description of the applicable criteria advises intended users of the framework on which the underlying subject matter is being evaluated, and is particularly important when there are significant differences between various criteria regarding how particular matters may be evaluated. A138. A description that the underlying subject matter complies with particular applicable criteria is appropriate only if the underlying subject matter complies with all relevant requirements of those applicable criteria that are effective. A139. A description of the applicable criteria that contains imprecise qualifying or limiting language (for example, “the underlying subject matter is in substantial compliance with the requirements of XYZ”) is not an adequate description as it may mislead users of the practitioner’s report. Forming the Assurance Conclusion Sufficiency and Appropriateness of Evidence (Ref: Para. 14(j), 65) A140. Evidence is necessary to support the practitioner’s conclusion and assurance report. It is cumulative in nature and is primarily obtained from procedures performed during the course of the engagement. It may, however, also include information obtained from other sources such as previous engagements (provided the practitioner has determined whether changes have occurred since the previous engagement that may affect its relevance to the current engagement) or a firm’s quality control procedures for client acceptance and continuance. Evidence may come from sources inside and outside the appropriate party(ies). Also, information that may be used as evidence may have been prepared by an expert employed or engaged by the appropriate party(ies). Evidence comprises both information that supports and corroborates aspects of the underlying subject matter, and any information that contradicts aspects of the underlying subject matter. In addition, in some cases, the absence of information (for example, refusal by the appropriate party(ies) to provide a requested representation) is used by the practitioner and, therefore, also constitutes evidence. Most of the practitioner’s work in forming the assurance conclusion consists of obtaining and evaluating evidence. A141. The sufficiency and appropriateness of evidence are interrelated. Sufficiency is the measure of the quantity of evidence. The quantity of evidence needed is affected by the risks of the underlying subject matter containing a material deviation (the higher the risks, the more evidence is likely to be required) and also by the quality of such evidence (the higher the quality, the less may be required). Obtaining more evidence, however, may not compensate for its poor quality. 154 | Exposure Draft – June and 2014 A142. Appropriateness is the measure of the quality of evidence; that is, its relevance and its reliability in providing support for the practitioner’s conclusion. The reliability of evidence is influenced by its source and by its nature, and is dependent on the individual circumstances under which it is obtained. Generalizations about the reliability of various kinds of evidence can be made; however, such generalizations are subject to important exceptions. Even when evidence is obtained from sources external to the appropriate party(ies), circumstances may exist that could affect its reliability. For example, evidence obtained from an external source may not be reliable if the source is not knowledgeable or objective. While recognizing that exceptions may exist, the following generalizations about the reliability of evidence may be useful: • Evidence is more reliable when it is obtained from sources outside the appropriate party(ies). • Evidence that is generated internally is more reliable when the related controls are effective. • Evidence obtained directly by the practitioner (for example, observation of the application of a control) is more reliable than evidence obtained indirectly or by inference (for example, inquiry about the application of a control). • Evidence is more reliable when it exists in documentary form, whether paper, electronic, or other media (for example, a contemporaneously written record of a meeting is ordinarily more reliable than a subsequent oral representation of what was discussed). A143. The practitioner ordinarily obtains more assurance from consistent evidence obtained from different sources or of a different nature than from items of evidence considered individually. In addition, obtaining evidence from different sources or of a different nature may indicate that an individual item of evidence is not reliable. For example, corroborating information obtained from a source independent of the appropriate party(ies) may increase the assurance the practitioner obtains from a representation from the appropriate party(ies). Conversely, when evidence obtained from one source is inconsistent with that obtained from another, the practitioner determines what additional procedures are necessary to resolve the inconsistency. A144. In terms of obtaining sufficient appropriate evidence, it is generally more difficult to obtain assurance about the underlying subject matter covering a period than about underlying subject matter at a point in time. In addition, conclusions provided on processes ordinarily are limited to the period covered by the engagement; the practitioner provides no conclusion about whether the process will continue to function in the specified manner in the future. Attestation and Direct Engagements | 155 A145. Whether sufficient appropriate evidence has been obtained on which to base the practitioner’s conclusion is a matter of professional judgment. A146. In some circumstances, the practitioner may not have obtained the sufficiency or appropriateness of evidence that the practitioner had expected to obtain through the planned procedures. In these circumstances, the practitioner considers that the evidence obtained from the procedures performed is not sufficient and appropriate to be able to form a conclusion on the underlying subject matter. The practitioner may: • Extend the work performed; or • Perform other procedures judged by the practitioner to be necessary in the circumstances. Where neither of these is practicable in the circumstances, the practitioner will not be able to obtain sufficient appropriate evidence to be able to form a conclusion. This situation may arise even though the practitioner has not become aware of a matter(s) that causes the practitioner to believe the underlying subject matter may be have a material deviation, as addressed in paragraph 51L. Evaluating the Sufficiency and Appropriateness of Evidence (Ref: Para. 66) A147. An assurance engagement is a cumulative and iterative process. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to change the nature, timing or extent of other planned procedures. Information may come to the practitioner’s attention that differs significantly from that expected and upon which planned procedures were based. For example: • The extent of deviations that the practitioner identifies may alter the practitioner’s professional judgment about the reliability of particular sources of information. • The practitioner may become aware of discrepancies in relevant information, or inconsistent or missing evidence. • If analytical procedures were performed towards the end of the engagement, the results of those procedures may indicate a previously unrecognized risk of material deviation. In such circumstances, the practitioner may need to reevaluate the planned procedures. 156 | Exposure Draft – June and 2014 A148. The practitioner’s professional judgment as to what constitutes sufficient appropriate evidence is influenced by such factors as the following: • Significance of a potential deviation and the likelihood of its having a material effect, individually or when aggregated with other potential deviations, on the practitioner’s report. • Effectiveness of the appropriate party(ies)’s responses to address the known risk of material deviation. • Experience gained during previous assurance engagements with respect to similar potential deviations. • Results of procedures performed, including whether such procedures identified specific deviations. • Source and reliability of the available information. • Persuasiveness of the evidence. • Understanding of the appropriate party(ies) and its environment. Scope Limitations (Ref: Para. 28, 68) A149. A scope limitation may arise from: (a) Circumstances beyond the control of the appropriate party(ies). For example, documentation the practitioner considers it necessary to inspect may have been accidentally destroyed; (b) Circumstances relating to the nature or timing of the practitioner’s work. For example, a physical process the practitioner considers it necessary to observe may have occurred before the practitioner’s engagement; or (c) Limitations imposed by the responsible party or the engaging party on the practitioner that, for example, may prevent the practitioner from performing a procedure the practitioner considers to be necessary in the circumstances. Limitations of this kind may have other implications for the engagement, such as for the practitioner’s consideration of engagement risk and engagement acceptance and continuance. A150. An inability to perform a specific procedure does not constitute a scope limitation if the practitioner is able to obtain sufficient appropriate evidence by performing alternative procedures. A151. The procedures performed in a limited assurance engagement are, by definition, limited compared with that necessary in a reasonable assurance engagement. Limitations known to exist prior to accepting a limited assurance engagement are a relevant consideration when establishing whether the Attestation and Direct Engagements | 157 preconditions for an assurance engagement are present, in particular, whether the engagement exhibits the characteristics of access to evidence (see paragraph 26(b)(iv)) and a rational purpose (see paragraph 26(b)(vi)). If a further limitation is imposed by the appropriate party(ies) after a limited assurance engagement has been accepted, it may be appropriate to withdraw from the engagement, where withdrawal is possible under applicable law or regulation. Preparing the Assurance Report Form of Assurance Report (Ref: Para. 68-69) A152. Oral and other forms of expressing conclusions can be misunderstood without the support of a written report. For this reason, the practitioner does not report orally or by use of symbols without also providing a written assurance report that is readily available whenever the oral report is provided or the symbol is used. For example, a symbol could be hyperlinked to a written assurance report on the Internet. A153. This CSAE does not require a standardized format for reporting on all assurance engagements. Instead, it identifies the basic elements the assurance report is to include. Assurance reports are tailored to the specific engagement circumstances. The practitioner may use headings, paragraph numbers, typographical devices (for example, the bolding of text), and other mechanisms to enhance the clarity and readability of the assurance report. A154. The practitioner may choose a “short form” or “long form” style of reporting to facilitate effective communication to the intended users. “Short-form” reports ordinarily include only the basic elements. “Long-form” reports include other information and explanations that are not intended to affect the practitioner’s conclusion. In addition to the basic elements, long-form reports may describe in detail the terms of the engagement, the applicable criteria being used, findings relating to particular aspects of the engagement, details of the qualifications and experience of the practitioner and others involved with the engagement, disclosure of materiality levels and, in some cases, recommendations. The practitioner may find it helpful to consider the significance of providing such information to the information needs of the intended users. As required by paragraph 69, additional information is clearly separated from the practitioner’s conclusion and phrased in such a manner so as make it clear that it is not intended to detract from that conclusion. 158 | Exposure Draft – June and 2014 Assurance Report Content Title (Ref: Para. 70(a)) A155. An appropriate title helps to identify the nature of the assurance report, and to distinguish it from reports issued by others, such as those who do not have to comply with the same ethical requirements as the practitioner. Addressee (Ref: Para. 70(b)) A156. An addressee identifies the party or parties to whom the assurance report is directed. The assurance report is ordinarily addressed to the engaging party, but in some cases, there may be other intended users. Underlying Subject Matter (Ref: Para. 70(c)) A157. Identification and description of the underlying subject matter may include, for example: • The point in time or period of time to which the measurement or evaluation of the underlying subject matter relates. • Where applicable, the name of the responsible party or component of the responsible party to which the underlying subject matter relates. • An explanation of those characteristics of the underlying subject matter of which the intended users should be aware, and how such characteristics may influence the precision of the measurement or evaluation of the underlying subject matter against the applicable criteria, or the persuasiveness of available evidence. For example: o The degree to which the underlying subject matter is qualitative versus quantitative, objective versus subjective, or historical versus prospective. o Changes in the underlying subject matter or other engagement circumstances that affect the comparability from one period to the next. Applicable Criteria (Ref: Para. 70(d)) A158. The assurance report identifies the applicable criteria against which the underlying subject matter was measured or evaluated so the intended users can understand the basis for the practitioner’s conclusion. The assurance report may include the applicable criteria, or refer to them if they are otherwise available from a readily accessible source. It may be relevant, in the circumstances, to disclose: • The source of the applicable criteria, and whether or not the applicable criteria are embodied in law or regulation, or issued by authorized or Attestation and Direct Engagements | 159 recognized bodies of experts that follow a transparent due process; that is, whether they are established criteria in the context of the underlying subject matter (and if they are not, a description of why they are considered suitable). • Measurement or evaluation methods used when the applicable criteria allow for choice between a number of methods. • Any significant interpretations made in applying the applicable criteria in the engagement circumstances. • Whether there have been any changes in the measurement or evaluation methods used. Inherent Limitations (Ref: Para. 70(e)) A159. While in some cases, inherent limitations can be expected to be wellunderstood by the intended users of an assurance report, in other cases, it may be appropriate to make explicit reference to them in the assurance report. For example, in an assurance report related to the effectiveness of internal control, it may be appropriate to note that the historic evaluation of effectiveness is not relevant to future periods due to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with policies or procedures may deteriorate. Specific Purpose (Ref: Para. 70(f)) A160. In some cases, the applicable criteria used to measure or evaluate the underlying subject matter may be designed for a specific purpose. For example, a regulator may require certain entities to use particular applicable criteria designed for regulatory purposes. To avoid misunderstandings, the practitioner alerts readers of the assurance report to this fact and that, therefore, the assurance report may not be suitable for another purpose. A161. In addition to the alert required by paragraph 70(f), the practitioner may consider it appropriate to indicate that the assurance report is intended solely for specific users. Depending on the engagement circumstances, for example, the law or regulation of the particular jurisdiction, this may be achieved by restricting the distribution or use of the assurance report. While an assurance report may be restricted in this way, the absence of a restriction regarding a particular user or purpose does not itself indicate that a legal responsibility is owed by the practitioner in relation to that user or for that purpose. Whether a legal responsibility is owed will depend on the legal circumstances of each case and the relevant jurisdiction. 160 | Exposure Draft – June and 2014 Relative Responsibilities (Ref: Para. 17, 70(g)) A162. Identifying relative responsibilities informs the intended users that the responsible party is responsible for the underlying subject matter, and that the practitioner’s role is to independently express a conclusion about the whether the underlying subject matter complies in all material respects with the applicable criteria. Performance of the Engagement in Accordance with CSAE 3001 and a Subject-MatterSpecific CSAE (Ref: Para. 70(h)) A163. Where a subject-matter-specific CSAE applies to only part of the underlying subject matter, it may be appropriate to cite both that subject-matter-specific CSAE and this CSAE. A164. A statement that contains imprecise qualifying or limiting language (for example, “the engagement was performed by reference to CSAE 3001”) may mislead users of assurance reports. Applicable Quality Control Requirements (Ref: Para. 70(i)) A165. The following is an illustration of a statement in the assurance report regarding applicable quality control requirements: The firm applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements. Compliance with Independence and Other Ethical Requirements (Ref: Para. 70(j)) A166. The following is an illustration of a statement in the assurance report regarding compliance with ethical requirements: We have complied with the independence and other ethical requirements of the [specify applicable rules of professional conduct/code of conduct in Canada], which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behavior. Summary of the Work Performed (Ref: Para. A6, 70(k)) A167. The summary of the work performed helps the intended users understand the practitioner’s conclusion. For many assurance engagements, infinite variations in procedures are possible in theory. In practice, however, these are difficult to communicate clearly and unambiguously. Other authoritative pronouncements issued by the Auditing and Assurance Standards Board may be useful to practitioners in preparing the summary. Attestation and Direct Engagements | 161 A168. Where no specific CSAE provides guidance on procedures for a particular underlying subject matter, the summary might include a more detailed description of the work performed. It may be appropriate to include in the summary a statement that the work performed included evaluating the suitability of the applicable criteria. A169. In a limited assurance engagement, the summary of the work performed is ordinarily more detailed than for a reasonable assurance engagement and identifies the limitations on the nature, timing and extent of procedures. This is because an appreciation of the nature, timing and extent of procedures performed is essential to understanding a conclusion expressed in a form that conveys whether, based on the procedures performed, a material matter(s) has come to the practitioner’s attention to cause the practitioner to believe the underlying subject matter contains a material deviation. It also may be appropriate to indicate in the summary of the work performed certain procedures that were not performed that would ordinarily be expected to be performed in a reasonable assurance engagement. However, a complete identification of all such procedures may not be possible because the practitioner’s required understanding and consideration of engagement risk is less than in a reasonable assurance engagement. A170. Factors to consider in determining the level of detail to be provided in the summary of the work performed may include: • Circumstances specific to the entity (for example, the differing nature of the entity’s activities compared to those typical in the sector). • Specific engagement circumstances affecting the nature and extent of the procedures performed. • The intended users’ expectations of the level of detail to be provided in the report, based on market practice, or applicable law or regulation. A171. It is important that the summary be written in an objective way that allows intended users to understand the work done as the basis for the practitioner’s conclusion. In most cases, this will not involve detailing the entire work plan, but on the other hand, it is important for it not to be so summarized as to be ambiguous, nor written in a way that is overstated or embellished. The Practitioner’s Conclusion (Ref: Para. 14(a)(ii)(b), 70(l)) A172. An example of a conclusion expressed in a form appropriate for a reasonable assurance engagement is: “In our opinion, the entity has complied, in all material respects, with XYZ law.” 162 | Exposure Draft – June and 2014 A173. It may be appropriate to inform the intended users of the context in which the practitioner’s conclusion is to be read when the assurance report includes an explanation of particular characteristics of the underlying subject matter of which the intended users should be aware. The practitioner’s conclusion may, for example, include wording such as: “This conclusion has been formed on the basis of the matters outlined elsewhere in this independent assurance report.” A174. An example of a conclusion expressed in a form appropriate for a limited assurance engagement is: Based on the procedures performed and evidence obtained, nothing has come to our attention that causes us to believe that [the entity] has not complied, in all material respects, with XYZ law.” A175. Forms of expression that may be useful for underlying subject matters include, for example, “in compliance with” or “in accordance with.” A176. Inclusion of a heading above paragraphs containing modified conclusions, and the matter(s) giving rise to the modification, aids the understandability of the practitioner’s report. Examples of appropriate heading include “Qualified Conclusion,” “Adverse Conclusion,” or “Disclaimer of Conclusion” and “Basis for Qualified Conclusion,” “Basis for Adverse Conclusion,” as appropriate. The Practitioner’s Signature (Ref: Para. 70(m)) A177. The practitioner’s signature is either in the name of the practitioner’s firm, the personal name of the individual practitioner or both, as appropriate for the particular jurisdiction. In addition to the practitioner’s signature, in certain jurisdictions, the practitioner may be required to make a declaration in the practitioner’s report about professional designations or recognition by the appropriate licensing authority in that jurisdiction. Date (Ref: Para. 70(n)) A178. Including the assurance report date informs the intended users that the practitioner has considered the effect on the assurance report of events that occurred up to that date. Reference to the Practitioner’s Expert in the Assurance Report (Ref: Para. 71) A179. In some cases, law or regulation may require a reference to the work of a practitioner’s expert in the assurance report, for example, for the purposes of transparency in the public sector. It may also be appropriate in other circumstances, for example, to explain the nature of a modification of the practitioner’s conclusion, or when the work of an expert is integral to findings included in a long-form report. Attestation and Direct Engagements | 163 A180. Nonetheless, the practitioner has sole responsibility for the conclusion expressed, and that responsibility is not reduced by the practitioner’s use of the work of a practitioner’s expert. It is important, therefore, that if the assurance report refers to a practitioner’s expert, that the wording of that report does not imply that the practitioner’s responsibility for the conclusion expressed is reduced because of the involvement of that expert. A181. A generic reference in a long-form report to the engagement having been conducted by suitably qualified personnel including subject matter experts and assurance specialist is unlikely to be misunderstood as reduced responsibility. The potential for misunderstanding is higher, however, in the case of short-form reports, where minimum contextual information is able to be presented, or when the practitioner’s expert is referred to by name. Therefore, additional wording may be needed in such cases to prevent the assurance report implying that the practitioner’s responsibility for the conclusion expressed is reduced because of the involvement of the expert. Unmodified and Modified Conclusions (Ref: Para. 75-78, Appendix 1) A182. The term ‘pervasive’ describes the effects on the underlying subject matter of deviations or the possible effects on the underlying subject matter of deviations, if any, that are undetected due to an inability to obtain sufficient appropriate evidence. Pervasive effects on the underlying subject matter are those that, in the practitioner’s professional judgment: (a) Are not confined to specific aspects of the underlying subject matter; or (b) If so confined, represent or could represent a substantial proportion of the underlying subject matter. A183. The nature of the matter, and the practitioner’s judgment about the pervasiveness of the effects or possible effects on the underlying subject matter, affects the type of conclusion to be expressed. A184. Examples of qualified and adverse conclusions and a disclaimer of conclusion are: • Qualified conclusion (an example for limited assurance engagements with a material deviation) – “Based on the procedures performed and the evidence obtained, except for the effect of the matter described in the Basis for Qualified Conclusion section of our report, nothing has come to our attention that causes us to believe that the entity has not complied, in all material respects, with XYZ law.” • Adverse conclusion (an example for a material and pervasive deviation for both reasonable assurance and limited assurance engagements) – “Because of the significance of the matter described in the Basis for 164 | Exposure Draft – June and 2014 Adverse Conclusion section of our report, the entity has not complied, in all material respects, with XYZ law.” • Disclaimer of conclusion (an example for a material and pervasive limitation of scope for both reasonable assurance and limited assurance engagements) – “Because of the significance of the matter described in the Basis for Disclaimer of Conclusion section of our report, we have not been able to obtain sufficient appropriate evidence to form a conclusion on whether the entity has complied, in all material respects, with XYZ law. Accordingly, we do not express a conclusion on such compliance.” Other Communication Responsibilities (Ref: Para. 78) A185. Matters that may be appropriate to communicate with the responsible party, the engaging party or others include fraud or suspected fraud. Documentation (Ref: Para. 79-83) A186. Documentation includes a record of the practitioner’s reasoning on all significant matters that require the exercise of professional judgment, and related conclusions. When difficult questions of principle or professional judgment exist, documentation that includes the relevant facts that were known by the practitioner at the time the conclusion was reached may assist in demonstrating the practitioner’s knowledge. A187. It is neither necessary nor practical to document every matter considered, or professional judgment made, during an engagement. Further, it is unnecessary for the practitioner to document separately (as in a checklist, for example) compliance with matters for which compliance is demonstrated by documents included within the engagement file. Similarly, the practitioner need not include in the engagement file superseded drafts of working papers, notes that reflect incomplete or preliminary thinking, previous copies of documents corrected for typographical or other errors, and duplicates of documents. A188. In applying professional judgment to assessing the extent of documentation to be prepared and retained, the practitioner may consider what is necessary to provide an understanding of the work performed and the basis of the principal decisions taken (but not the detailed aspects of the engagement) to another practitioner who has no previous experience with the engagement. That other practitioner may only be able to obtain an understanding of detailed aspects of the engagement by discussing them with the practitioner who prepared the documentation. Attestation and Direct Engagements | 165 A189. Documentation may include a record of, for example: • The identifying characteristics of the specific items or matters tested; • Who performed the engagement work and the date such work was completed; • Who reviewed the engagement work performed and the date and extent of such review; and • Discussions of significant matters with the appropriate party(ies) and others, including the nature of the significant matters discussed and when and with whom the discussions took place. A190. Documentation may include a record of, for example: • Issues identified with respect to compliance with relevant ethical requirements and how they were resolved. • Conclusions on compliance with independence requirements that apply to the engagement, and any relevant discussions with the firm that support these conclusions. • Conclusions reached regarding the acceptance and continuance of client relationships and assurance engagements. • The nature and scope of, and conclusions resulting from, consultations undertaken during the course of the engagement. Assembly of the Final Engagement File A191. CSQC 1 (or other professional requirements, or requirements in law or regulation that are at least as demanding as CSQC 1) requires firms to establish policies and procedures for the timely completion of the assembly of 6 engagement files. An appropriate time limit within which to complete the assembly of the final engagement file is ordinarily not more than 60 days after the date of the assurance report. A192. 7 The completion of the assembly of the final engagement file after the date of the assurance report is an administrative process that does not involve the performance of new procedures or the drawing of new conclusions. Changes may, however, be made to the documentation during the final assembly process if they are administrative in nature. Examples of such changes include: 6 • Deleting or discarding superseded documentation. • Sorting, collating and cross-referencing working papers. CSQC 1, paragraph 45 7 CSQC 1, paragraph A54 166 | Exposure Draft – June and 2014 • Signing off on completion checklists relating to the file assembly process. • Documenting evidence that the practitioner has obtained, discussed and agreed with the relevant members of the engagement team before the date of the assurance report. A193. CSQC 1 (or other requirements that are at least as demanding as CSQC 1) requires firms to establish policies and procedures for the retention of 8 engagement documentation. The retention period for assurance engagements ordinarily is no shorter than five years from the date of the assurance report. 9 8 CSQC 1, paragraph 47 9 CSQC 1, paragraph A61 Attestation and Direct Engagements | 167 Appendix 1 (Ref: Para. A10, A15, A16-A18, A19, A35-A36, A182-A184) Roles and Responsibilities RESPONSIBILITY: MEASURE/EVALUATE & ASSURE Responsible Party Engaging Party Terms of the Engagement Practitioner Underlying subject matter Criteria Assurance Report (Information, observations & conclusion) Intended users 1. All assurance engagements have at least three parties: the responsible party, the practitioner and the intended users. Depending on the engagement circumstances, there may also be a separate engaging party. 2. The above diagram illustrates how the following roles relate to a direct engagement: (a) The responsible party is responsible for the underlying subject matter. 168 | Exposure Draft – June and 2014 (b) The engaging party agrees the terms of the engagement with the practitioner. (c) The practitioner obtains sufficient appropriate evidence in order to express a conclusion on whether the underlying subject matter conforms, in all material respects, with the applicable criteria. (d) The intended users make decisions on the basis of the practitioner’s report. The intended users are the individual(s) or organization(s), or group(s) thereof that the practitioner expects will use the assurance report. 3. The following observations can be made about these roles: • Every assurance engagement has at least a responsible party and intended users, in addition to the practitioner. • The practitioner cannot be the responsible party, the engaging party or an intended user. • The practitioner is also the measurer or evaluator. • The character of a direct engagement cannot be changed to an attestation engagement by another party assuming responsibility for the measurement or evaluation, for example, by the responsible party attaching a statement to the underlying subject matter accepting responsibility for it. • The responsible party can be the engaging party. • The responsible party can be one of the intended users, but not the only one. • The responsible party and the intended users may be from different entities or the same entity. As an example of the latter case, in a two-tier board structure, the supervisory board may seek assurance about underlying subject matter for which the executive board of that entity is responsible. The relationship between the responsible party and the intended users needs to be viewed within the context of a specific engagement and may differ from more traditionally defined lines of responsibility. For example, an entity’s senior management (an intended user) may engage a practitioner to perform a direct engagement on a particular aspect of the entity’s activities that is the immediate responsibility of a lower level of management (the responsible party), but for which senior management is ultimately responsible. • An engaging party that is not also the responsible party can be the intended user. Attestation and Direct Engagements | 169 4. The practitioner’s conclusion is phrased in terms of underlying subject matter and the applicable criteria. 5. The practitioner and the responsible party may agree to apply the principles of the CSAEs to an engagement when there are no intended users other than the responsible party but where all other requirements of the CSAEs are met. In such cases, the practitioner’s report includes a statement restricting the use of the report to the responsible party. 170 | Exposure Draft – June and 2014 Appendix 2 (Ref: Para. 2) Illustrations of Differences between Attestation Engagements and Direct Engagements Attestation Engagement Direct Engagement Objective To enhance the degree of confidence of the intended users about the subject matter information. To enhance the degree of confidence of the intended users about the practitioner’s conclusion regarding the outcome of the measurement or evaluation of an underlying subject matter against criteria. Subject matter information Public statement or assertion made by the responsible party regarding its measurement or evaluation of the underlying subject matter (for example, a statement regarding the entity’s compliance with applicable criteria, and information related to such compliance). No public statement or assertion made by the responsible party. Measurer/evaluator Party other than the practitioner. Practitioner. Applicable criteria Party other than the practitioner decides on the applicable criteria to be used in preparing its subject matter information. The practitioner determines whether the applicable criteria are suitable for the engagement circumstances. Practitioner normally decides on the applicable criteria to be used for the engagement and seeks agreement from the party responsible for the underlying subject matter that the criteria are suitable. Non-conformance with criteria Misstatement of the subject matter information. Deviation of the underlying subject matter from the applicable criteria. Reporting The practitioner’s report includes a conclusion regarding, for example, whether the subject matter information is, in all material respects, properly prepared, based on the applicable criteria. The practitioner’s report includes a conclusion regarding whether the underlying subject matter conforms, in all material respects, with the applicable criteria. Attestation and Direct Engagements | 171 Examples of engagement Attestation Engagement Direct Engagement An audit of internal control over financial reporting that is integrated with a financial statement audit. A value-for-money (performance) audit of a public sector entity when the entity has made no public statement or assertion regarding such performance. An audit or review of an entity’s greenhouse gas emissions. An audit of a service organization’s description of its controls and the suitability of design and operating effectiveness of those controls. An audit or review of an entity’s statement or assertion to an external party regarding the entity’s compliance with an agreement, statute or regulation. 172 | Exposure Draft – June and 2014 An audit or review of an entity’s compliance with an agreement, statute or regulation when the entity has made no statement or assertion to an external party regarding such compliance. CONSEQUENTIAL AMENDMENTS The following significant consequential amendments have been identified. Additional text is denoted by underlining and deleted text by strikethrough. CSAE 3410, ASSURANCE ENGAGEMENTS ON GREENHOUSE GAS STATEMENTS 9. The performance of assurance engagements other than audits or reviews of historical financial information requires the practitioner to comply with Section 5025 and other Canadian standards that apply to all assurance engagements other than audits of financial statements and other historical financial information. The practitioner is required to comply with CSAE 3000 and this CSAE when performing an assurance engagement on greenhouse gas statements. This CSAE supplements, but does not replace, CSAE 3000 and expands on how CSAE 3000 is to be applied in an assurance engagement on greenhouse gas statements. Section 5025 includes requirements in relation to such topics as engagement acceptance, planning, evidence, and documentation that apply to all assurance engagements, including engagements in accordance with this CSAE. This CSAE expands on how Section 5025 is to be applied in an assurance engagement to report on an entity's GHG statement. Section 5025, which defines and describes the elements and objectives of an assurance engagement, provides context for understanding this CSAE. (Ref: Para. A17) C10. Compliance with CSAE 3000 requires, among other things, compliance with relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or 6 requirements in law or regulation, that are at least as demanding. It also requires the engagement partner to be a member of a firm that applies CSQC 1, or other professional requirements, or requirements in law or regulation, regarding the firm’s responsibility for its system of quality control, that are at 67 least as demanding as CSQC 1. Compliance with Section 5030 requires, among other things, that the practitioner comply with relevant ethical requirements and implement quality control procedures that are applicable to the individual engagement. (Ref: Para. CA5-A6) [In ISAE 3410, this paragraph states: Compliance with ISAE 3000 requires, among other things, compliance with Parts A and B of the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (the IESBA Code) related to assurance engagements, or other professional requirements, or 6 CSAE 3000, paragraphs C3, C20 and 34. Paragraphs 5030.02 and 5030.10 [In ISAE 3410, this footnote states: ISAE 3000, paragraphs 3, 20 and 34 4 and 6] 7 CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements Attestation and Direct Engagements | 173 requirements imposed by law or regulation, that are at least as demanding. It also requires the engagement partner to be a member of a firm that applies 8 ISQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as ISQC 1. Compliance with ISAE 3000 requires, among other things, that the practitioner comply with the independence and other requirements of the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA Code) and implement quality control procedures that are applicable to the individual engagement.] C76. The assurance report shall include, at a minimum, the following basic elements: (Ref: Para. A134) (a) A title that clearly indicates the report is an independent moderate level assurance or audit report. (b) (c) The An addressee of the assurance report. An identification or description of the level of assurance, either reasonable or limited, obtained by the practitioner. (c)(d) Identification of the GHG statement, including the period(s) it covers, and, if any information in that statement is not covered by the practitioner's conclusion, clear identification of the information subject to assurance as well as the excluded information, together with a statement that the practitioner has not performed any procedures with respect to the excluded information and, therefore, that no conclusion on it is expressed. (Ref: Para. A120, A135) (d)(e) (e)(f) A description of the entity's responsibilities. (Ref: Para. A35) A statement that GHG quantification is subject to inherent uncertainty. (Ref: Para. A54-A59) (f)(g) If the GHG statement includes emissions deductions that are covered by the practitioner's conclusion, identification of those emissions deductions, and a statement of the practitioner's responsibility with respect to them. (Ref: Para. A136-A139) (g)(h) Identification of the applicable criteria: (i) Identification of how those criteria can be accessed; (ii) If those criteria are available only to specific intended users, or are relevant only to a specific purpose, a statement alerting readers to this fact and that, as a result, the GHG statement may not be 8 ISQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements 174 | Exposure Draft – June 2014 suitable for another purpose. The statement shall also restricting the use of the assurance report to those intended users or that purpose; and (Ref: Para. A140-A141) (iii) If established criteria need to be supplemented by disclosures in the explanatory notes to the GHG statement for those criteria to be suitable, identification of the relevant note(s). (Ref: Para. A131) (i) A statement that the firm of which the practitioner is a member applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as ISQC 1. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1. C(j) A statement that the practitioner complies with relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements in law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding. [In ISAE 3410, this paragraph states: A statement that the practitioner complies with the independence and other ethical requirements of the IESBA Code, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding as Parts A and B of the IESBA Code related to assurance engagements. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding as Parts A and B of the IESBA Code related to assurance engagements.] (h)(k) A description of the practitioner's responsibility, including: (i) A statement that the engagement was performed in accordance with CSAE 3410, Assurance Engagements on Greenhouse Gas Statements; and (ii) An informative A summary of the work performed as the basis for the basis for the practitioner's procedures conclusion. In the case of a limited assurance engagement, an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion. In the case of a moderate level limited assurance engagement, the summary of the work performed this shall state include a statement that: Attestation and Direct Engagements | 175 • The the procedures performed in a moderate limited level assurance engagement vary in nature and timing from, and are less in extent than for, an audit a reasonable assurance engagement; and • Consequently,. As a result, the level of assurance obtained in a moderate level limited assurance engagement is substantially lower than the assurance that would have been obtained had an audit a reasonable assurance engagement been performed. (Ref: Para. A142-A144). (i)(l) The practitioner's conclusion: (i) In a reasonable assurance engagement, the conclusion shall be expressed in a the positive form in the case of an audit engagement; or (ii) In a limited assurance engagement, the conclusion shall be expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause the practitioner to believe that the GHG statement is not prepared, in all material respects, in accordance with the applicable criteria. in the negative form in the case of a moderate level assurance engagement, about whether the GHG statement is prepared, in all material respects, in accordance with the applicable criteria. (iii) When the practitioner expresses a modified conclusion, the assurance report shall contain: a. A section that provides a description of the matter(s) giving rise to the modification; and b. A section that contains the practitioner’s modified conclusion. (j) If the practitioner expresses a conclusion that is modified, a clear description of all the reasons therefore. (k)(m) The practitioner's signature. (Ref: Para. A145) (l)(n) The date of the assurance report. The assurance report shall be dated no earlier than the date on which the practitioner has obtained the evidence on which the practitioner’s conclusion is based, including evidence that those with recognized authority have asserted that they have taken responsibility for the GHG statement. (m)(o) The location in the jurisdiction where the practitioner practices. 176 | Exposure Draft – June 2014 CSAE 3416, REPORTING ON CONTROLS AT A SERVICE ORGANIZATION Relationship with CSAE 3000, Other Professional Pronouncements, and Other Requirements 1 1A. The practitioner is required to comply with CSAE 3000 and this CSAE when performing an assurance engagement to report on controls at a service organization. This CSAE supplements, but does not replace, CSAE 3000 and expands on how CSAE 3000 is to be applied in an assurance engagement to report on controls at a service organization. 1B. Compliance with CSAE 3000 requires, among other things, compliance with relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements in law or regulation, that are at least as demanding. It also requires the engagement partner to be a member of a firm that applies 2 CSQC 1, or other professional requirements, or requirements in law or regulation, regarding the firm’s responsibility for its system of quality control, that are at least as demanding as CSQC 1. 52. A service auditor's type 2 report shall include, at a minimum, the following elements: (a) A title that includes the word independent; (b) An addressee; (c) Identification of: (i) Management's description of the service organization's system and the function performed by the system; (ii) Any parts of management's description of the service organization's system that are not covered by the service auditor's report; (iii) Any information included in a document containing the service auditor's report that is not covered by the service auditor's report; (iv) The applicable criteria; and (v) Any services performed by a subservice organization and whether the carve-out method or the inclusive method was used in relation to them. Depending on which method is used, the following shall be included: a. If the carve-out method was used, a statement that management's description of the service organization's system 1 2 CSAE 3000, Attestation Engagements Other than Audits or Reviews of Historical Financial Information CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements Attestation and Direct Engagements | 177 excludes the control objectives and related controls at relevant subservice organizations, and that the service auditor's procedures do not extend to the subservice organization. b. If the inclusive method was used, a statement that management's description of the service organization's system includes the subservice organization's specified control objectives and related controls, and that the service auditor's procedures included procedures related to the subservice organization. (d) If management's description of the service organization's system refers to the need for complementary user entity controls, a statement that the service auditor has not evaluated the suitability of the design or operating effectiveness of complementary user entity controls, and that the control objectives stated in the description can be achieved only if complementary user entity controls are suitably designed and operating effectively, along with the controls at the service organization; (e) A reference to management's assertion and a statement that management is responsible for: (i) Preparing the description of the service organization's system and the assertion, including the completeness, accuracy, and method of presentation of the description and assertion; (ii) Providing the services covered by the description of the service organization's system; (iii) Specifying the control objectives unless the control objectives are specified by law, regulation, or another party, and stating them in the description of the service organization's system; (iv) Identifying the risks that threaten the achievement of the control objectives; (v) Selecting the criteria; and (vi) Designing, implementing, and documenting controls that are suitably designed and operating effectively to achieve the related control objectives stated in the description of the service organization's system. (f) A statement that the service auditor's responsibility is to express an opinion on the fairness of the presentation of management's description of the service organization's system and on the suitability of the design and operating effectiveness of the controls to achieve the related 178 | Exposure Draft – June 2014 control objectives stated in the description, based on the service auditor's audit; (g) A statement that the firm of which the practitioner is a member applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If a practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1. (h) A statement that the practitioner complies with the independence and other ethical requirements of relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies relevant to assurance engagements or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding. (g)(i) A statement that the engagement was performed in accordance with CSAE 3416, Reporting on Controls at a Service Organization. A statement that the audit was conducted in accordance with the Canadian Standard on Assurance Engagements for Reporting on Controls at a Service Organization, set out in the CPAICA Handbook Assurance. This standard requires the service auditor to plan and perform the audit to obtain reasonable assurance about whether management's description of the service organization's system is fairly presented and the controls are suitably designed and operating effectively throughout the specified period to achieve the related control objectives; (h)(j) A statement that an audit of management's description of a service organization's system and the suitability of the design and operating effectiveness of the service organization's controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description; (i)(k) A statement that the audit included assessing the risks that management's description of the service organization's system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives; Attestation and Direct Engagements | 179 (j)(l) A statement that the audit also included testing the operating effectiveness of those controls that the service auditor considers necessary to provide reasonable assurance that the related control objectives stated in management's description of the service organization's system were achieved; (k)(m) A statement that an audit engagement of this type also includes evaluating the overall presentation of management's description of the service organization's system and suitability of the control objectives stated in the description; (l)(n) A statement that the service auditor believes the audit provides a reasonable basis for his or her opinion; (m)(o) A statement about the inherent limitations of controls, including the risk of projecting to future periods any evaluation of the fairness of the presentation of management's description of the service organization's system or conclusions about the suitability of the design or operating effectiveness of controls; (n)(p) The service auditor's opinion on whether, in all material respects, based on the criteria described in management's assertion: (i) Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented throughout the specified period; (ii) The controls related to the control objectives stated in management's description of the service organization's system were suitably designed to provide reasonable assurance that those control objectives would be achieved if the controls operated effectively throughout the specified period; (iii) The controls the service auditor tested, which were those necessary to provide reasonable assurance that the control objectives stated in management's description of the service organization's system were achieved, operated effectively throughout the specified period; and (iv) If the application of complementary user entity controls is necessary to achieve the related control objectives stated in management's description of the service organization's system, a reference to this condition. (o)(q) A reference to a description of the service auditor's tests of controls and the results thereof, that includes: (i) Identification of the controls that were tested, whether the items tested represent all or a selection of the items in the population, and 180 | Exposure Draft – June 2014 the nature of the tests in sufficient detail to enable user auditors to determine the effect of such tests on their risk assessments; and (ii) If deviations have been identified in the operation of controls included in the description, the extent of testing performed by the service auditor that led to the identification of the deviations (including the number of items tested), and the number and nature of the deviations noted (even if, on the basis of tests performed, the service auditor concludes that the related control objective was achieved). 53. (p)(r) A statement restricting the use of the service auditor's report to management of the service organization, user entities of the service organization's system during some or all of the period covered by the service auditor's report, and the independent auditors of such user entities; (s) The practitioner’s signature. (q)(t) The date of the service auditor's report which shall be no earlier than the date on which the service auditor has obtained the evidence on which the practitioner’s conclusion is based; and (r)(u) The name of the service auditor and the location in the jurisdiction where the service auditor practices. (Ref: Para. A64-A69) A service auditor's type 1 report shall include, at a minimum, the following elements: (a) A title that includes the word independent; (b) An addressee; (c) Identification of: (i) Management's description of the service organization's system prepared by management and the function performed by the system; (ii) Any parts of management's description of the service organization's system that are not covered by the service auditor's report; (iii) Any information included in a document containing the service auditor report that is not covered by the service auditor's report; (iv) The applicable criteria; and (v) Any services performed by a subservice organization and whether the carve-out method or the inclusive method was used in relation to them. Depending on which method is used, the following shall be included: Attestation and Direct Engagements | 181 a. If the carve-out method was used, a statement that management's description of the service organization's system excludes the control objectives and related controls at relevant subservice organizations, and that the service auditor's procedures do not extend to the subservice organization. b. If the inclusive method was used, a statement that management's description of the service organization's system includes the subservice organization's specified control objectives and related controls, and that the service auditor's procedures included procedures related to the subservice organization. (d) If management's description of the service organization's system refers to the need for complementary user entity controls, a statement that the service auditor has not evaluated the suitability of the design or operating effectiveness of complementary user entity controls, and that the control objectives stated in the description can be achieved only if complementary user entity controls are suitably designed and operating effectively, along with the controls at the service organization; (e) A reference to management's assertion and a statement that management is responsible for: (i) Preparing the description of the service organization's system and assertion, including the completeness, accuracy, and method of presentation of the description and assertion; (ii) Providing the services covered by the description of the service organization's system; (iii) Specifying the control objectives, unless the control objectives are specified by law, regulation, or another party, and stating them in the description of the service organization's system; (iv) Identifying the risks that threaten the achievement of the control objectives; (v) Selecting the criteria; and (vi) Designing, implementing, and documenting controls that are suitably designed and operating effectively to achieve the related control objectives stated in the description of the service organization's system. (f) 182 | Exposure Draft – June 2014 A statement that the service auditor's responsibility is to express an opinion on the fairness of the presentation of management's description of the service organization's system and on the suitability of the design of the controls to achieve the related control objectives stated in the description, based on the service auditor's audit. (g) A statement that the firm of which the practitioner is a member applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If a practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1. (h) A statement that the practitioner complies with the independence and other ethical requirements of relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies relevant to assurance engagements or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding. (g)(i) A statement that the engagement was performed in accordance with CSAE 3416, Reporting on Controls at a Service Organization. A statement that the audit was conducted in accordance with the Canadian Standard on Assurance Engagements for Reporting on Controls at a Service Organization, set out in the CICPA Handbook – Assurance. This standard requires the service auditor to plan and perform the audit to obtain reasonable assurance about whether management's description of the service organization's system is fairly presented and the controls are suitably designed as of the specified date to achieve the related control objectives; (h)(j) A statement that the service auditor has not performed any procedures regarding the operating effectiveness of controls and, therefore, expresses no opinion thereon; (i)(k) A statement that an audit of management's description of a service organization's system and the suitability of the design of the service organization's controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design of those controls to achieve the related control objectives stated in the description; (j)(l) A statement that the audit included assessing the risks that management's description of the service organization's system is not fairly presented and that the controls were not suitably designed to achieve the related control objectives; (k)(m) A statement that an audit engagement of this type also includes evaluating the overall presentation of management's description of the service organization's system and suitability of the control objectives stated in the description; Attestation and Direct Engagements | 183 (l)(n) A statement that the service auditor believes the audit provides a reasonable basis for his or her opinion; (m)(o) A statement about the inherent limitations of controls, including the risk of projecting to future periods any evaluation of the fairness of the presentation of management's description of the service organization's system or conclusions about the suitability of the design of the controls to achieve the related control objectives; (n)(p) The service auditor's opinion on whether, in all material respects, based on the criteria described in management's assertion: (i) Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented as of the specified date; (ii) The controls related to the control objectives stated in management's description of the service organization's system were suitably designed to provide reasonable assurance that those control objectives would be achieved if the controls operated effectively as of the specified date; and (iii) If the application of complementary user entity controls is necessary to achieve the related control objectives stated in management's description of the service organization's system, a reference to this condition. (o)(q) A statement restricting the use of the service auditor's report to management of the service organization, user entities of the service organization's system as of the end of the period covered by the service auditor's report, and the independent auditors of such user entities; (r) The practitioner’s signature. (p)(s) The date of the service auditor's report which shall be no earlier than the date on which the service auditor has obtained the evidence on which the practitioner’s conclusion is based; and (q)(t) The name of the service auditor and the location in the jurisdiction where the service auditor practices. (Ref: Para A64-A69) AUDITING FOR COMPLIANCE WITH LEGISLATIVE AND RELATED AUTHORITIES IN THE PUBLIC SECTOR, Section PS 5300 .01A 184 | Exposure Draft – June 2014 The practitioner is required to comply with CSAE 3000, Attestation Engagements Other than Audits or Reviews of Historical Financial Information, (in the context of an attestation engagement) or CSAE 3001, Direct Engagements, (in the context of a direct engagement) and this Section when performing an assurance engagement on compliance with legislative and related authorities in the public sector. This Section supplements, but does not replace CSAE 3000 and CSAE 3001, and expands on how the Canadian Standards on Assurance Engagements are to be applied in an assurance engagement on compliance with legislative authorities in the public sector. .01B Compliance with CSAE 3000, Attestation Engagements Other than Audits or Reviews of Historical Financial Information, and CSAE 3001, Direct Engagements, requires, among other things, compliance with relevant rules of professional conduct/code of ethics, applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements in law or regulation, that are at least as demanding. It also requires the engagement partner to be a member of a firm that applies CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements, or other professional requirements, or requirements in law or regulation, regarding the firm’s responsibility for its system of quality control, that are at least as demanding as CSQC 1. .13 When expressing an opinion on compliance with specified authorities, the auditor should in his or her report: (a) Describe the scope of the audit by: (i) Identifying the entity or portion thereof being reported on; (ii) Specifying the authorities against which compliance is being reported; and (iii) Stating that the audit was performed in accordance with Canadian Standards for Assurance Engagements generally accepted auditing standards; and (b) Include a statement that the firm of which the practitioner is a member applies CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If a practitioner is not a professional accountant, the statement should identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1. (c) Include a statement that the practitioner complies with the independence and other ethical requirements of relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies relevant to assurance engagements or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement should identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding. Attestation and Direct Engagements | 185 .23 (b)(d) Express his or her opinion whether the entity or portion thereof has complied, in all significant respects, with the specified authorities. The auditor should provide adequate explanation with respect to any reservation contained in his or her opinion. (e) The practitioner's signature. (f) The date of the assurance report which shall be no earlier than the date on which the practitioner has obtained the evidence on which the practitioner’s conclusion is based. (g) The location in the jurisdiction where the practitioner practices. When reporting instances of non-compliance with authorities, the auditor should in his or her report: (a) Describe the context in which the instances of non-compliance with authorities are being reported by: (i) Describing the requirements of the audit mandate; (ii) Identifying the entity or portion thereof being reported on; (iii) Describing the approach followed by the auditor in selecting matters to be audited; and (iv) Stating that the audit of each matter reported was performed in accordance with Canadian Standards on Assurance Engagements Canadian generally accepted auditing standards; (b) Caution against drawing conclusions as to compliance or non-compliance with respect to matters not reported; and (c) For each reported instance of non-compliance: (i) Describe the matter being reported together with, if relevant and practicable, the monetary effect; (ii) Specify the authority or authorities not complied with; and (iii) State that, in his or her opinion, the matter was not in compliance with the authority or authorities specified. VALUE-FOR-MONEY AUDITING IN THE PUBLIC SECTOR, Section PS 5400 .09 186 | Exposure Draft – June 2014 When engaged to perform a value-for-money audit, the auditor should follow the general and performance standards set out in STANDARDS FOR ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF FINANCIAL STATEMENTS AND OTHER HISTORICAL FINANCIAL INFORMATION, Section 5025. comply with CSAE 3001, Direct Engagements, and this Section. This Section supplements, but does not replace CSAE 3001, and expands on how CSAE 3001 is to be applied in a value-for-money audit in the public sector. .09A Compliance with CSAE 3001, Direct Engagements, requires, among other things, compliance with relevant rules of professional conduct/code of ethics, applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies or other professional requirements, or requirements in law or regulation, that are at least as demanding. It also requires the engagement partner to be a member of a firm that applies CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements, or other professional requirements, or requirements in law or regulation, regarding the firm’s responsibility for its system of quality control, that are at least as demanding as CSQC 1. .11 When an auditor expresses an opinion with respect to an entity, or portion thereof, the auditor should report in accordance with paragraph 70 of 5025.62CSAE 3001, Direct Engagements. In complying with paragraph 5025.62(e), the auditor should refer to the "Standards for Assurance Engagements." .12 When an auditor reports observed deficiencies, the auditor should in his or her report: (a) describe the objectives and scope of the audit including any limitations therein; (b) state that the audit was performed in accordance with these value-formoney auditing standards VALUE-FOR-MONEY AUDITING IN THE PUBLIC SECTOR, Section PS 5400; (c) Include a statement that the firm of which the auditor is a member applies CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If an auditor is not a professional accountant, the statement should identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC1. (d) Include a statement that the auditor complies with the independence and other ethical requirements of relevant rules of professional conduct/code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies relevant to assurance engagements or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the auditor is not a professional accountant, the statement should identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding. Attestation and Direct Engagements | 187 188 | Exposure Draft – June 2014 (c)(e) Identify the criteria and describe the findings which form the basis for the auditor's conclusions; and (d)(f) State his or her conclusions. © 2014 Chartered Professional Accountants of Canada Excerpts from and/or links to this publication may be used, provided that full and clear credit is given to the appropriate Financial Reporting & Assurance Standards Canada board, oversight council, committee or individual author, with appropriate and specific direction to the original content. For assistance with crediting this publication, please contact fras-nifccanada@cpacanada.ca.
